Getting Data In
Highlighted

How to configure different sourcetypes for udp port 514 ?

Engager

Hello,

I have configured two network devices (cisco router and fortigate firewall) to send logs to Splunk server via udp port 514 .I can successfully see all the raw logs but particular apps wont show any data because the sourcetype doesnt match.I cant define different sourcetypes to same udp port in "data inputs".How can I overcome this issue ?

Highlighted

Re: How to configure different sourcetypes for udp port 514 ?

SplunkTrust
SplunkTrust

You can use the following in your inputs.conf

[udp://123.456.789:514]
index = networking
sourcetype = cisco

[udp://123.456.890:514]
index = networking
sourcetype = fortinet

View solution in original post

Highlighted

Re: How to configure different sourcetypes for udp port 514 ?

Engager

Thank you very much for the solution.Can you please specify which inputs.conf file I should edited.I saw there several inputs.conf files in several folders.

0 Karma
Highlighted

Re: How to configure different sourcetypes for udp port 514 ?

SplunkTrust
SplunkTrust

When you configure the inputs from the website, the inputs.conf file will be in the app folder that you were in before you when in to the inputs section. For example if you were in the Search & Reporting app, current location for your inputs.conf would be in

$SPLUNK_HOME/etc/apps/search/local/inputs.conf

If you are not sure where to store your file with these stanzas, you can use

$SPLUNK_HOME/etc/system/local/inputs.conf
0 Karma
Highlighted

Re: How to configure different sourcetypes for udp port 514 ?

Path Finder

Up to the config, you cannot define more than one input for the same port:
[udp://:]
* Similar to TCP, except that it listens on a UDP port.
* Only one stanza per port number is currently supported.

However, did it work for any of you??

Highlighted

Re: How to configure different sourcetypes for udp port 514 ?

SplunkTrust
SplunkTrust

you are adding an ip address to limit the input selection. if you added [udp://514] to the inputs.conf file, you are saying any ip address on UDP port 514. This is really more like [udp://*:514] . When you add the ip address in to the stanza, you are narrowing down the parameters. So [udp://123.456.789:514] is saying from this ip on this port, do the following the in the stanza.

0 Karma
Highlighted

Re: How to configure different sourcetypes for udp port 514 ?

Explorer

Why when I restrict host I don't receive anything?There is some specific configuration?
My firewall and my switch are allow to send logs.

0 Karma
Highlighted

Re: How to configure different sourcetypes for udp port 514 ?

SplunkTrust
SplunkTrust

are you seeing the packets with tcpdump/wireshark on the Splunk server?

0 Karma
Highlighted

Re: How to configure different sourcetypes for udp port 514 ?

Builder

whats your splunk topology and source paths?

0 Karma
Highlighted

Re: How to configure different sourcetypes for udp port 514 ?

Builder

you can edit in local directory of app name folder
$SPLUNK_HOME/etc/apps/app-name/local/inputs.conf
or you can directly modify from splunk web
http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Enableareceiver

0 Karma