Getting Data In

How to define an index per Source for a shared UDP 514 input?

JdeFalconr
Explorer

I'm trying to figure out how to have data from a particular host (i.e. Source) sent to a specific index. To get more specific for my example, I am trying to send Syslog data in on UDP 514. I would like to make it such that multiple devices can all send data to my Indexer on UDP 514, but send data to different indexes based on which host it comes from. I am using only the syslog functionality within the hosts I'm sending data from, not a forwarder installed on those hosts.

With a shared input and no control on the sending end, how do I configure things on my indexer to move data from specific hosts into a separate index? I know I can define individual inputs and define a destination index per input, but that seems like a terrible waste to use a separate port for each input (i.e. this batch of servers comes in on UDP 514 and data goes to index A, this other batch uses UDP 515 and goes to index B, and so on) not to mention the many different firewall ports I might have to open up.

Is it possible to define multiple inputs for the same port and differentiate them between their sending host? That would allow me to use the same port but move data to separate indexes. For instance, say I configure two inputs for UDP 514. One specifies a particular set of hosts and an index for their data while the other one does not specify a host (meaning any other data coming in on UDP 514 goes to that index).

Thanks for the help.

0 Karma
1 Solution

masonmorales
Influencer

While it's technically possible to do what you are asking, it is not easy, and is actually not best practice for a variety of reasons. Take a look at this article: http://www.georgestarcher.com/splunk-success-with-syslog/

If you really insist on keeping network inputs for all of your syslog feeds, and you don't want separate ports for each input's destination sourcetype/index, you will have to configure per-event routing using a lot of regex to separate the data into separate sourcetypes/indexes. Take a look at: http://docs.splunk.com/Documentation/Splunk/6.3.1/Forwarding/Routeandfilterdatad

I would strongly advise against the latter though. Save yourself a lot of headache and put a syslog server in the middle instead.

View solution in original post

masonmorales
Influencer

While it's technically possible to do what you are asking, it is not easy, and is actually not best practice for a variety of reasons. Take a look at this article: http://www.georgestarcher.com/splunk-success-with-syslog/

If you really insist on keeping network inputs for all of your syslog feeds, and you don't want separate ports for each input's destination sourcetype/index, you will have to configure per-event routing using a lot of regex to separate the data into separate sourcetypes/indexes. Take a look at: http://docs.splunk.com/Documentation/Splunk/6.3.1/Forwarding/Routeandfilterdatad

I would strongly advise against the latter though. Save yourself a lot of headache and put a syslog server in the middle instead.

JdeFalconr
Explorer

Thank you, that's extremely helpful. That article was spot-on what I needed.

I do have to say I'm completely mystified that doing what I'm asking is so incredibly difficult to configure on the Indexer. It really seems like this was an intentional decision to leave this feature out. Obviously Splunk is able to examine what network port data comes in on and make a decision purely based on that as to which index data goes into. Furthermore it can include or exclude data based on what host the data is sourced from on that port. Yet for some reason while it can differentiate between multiple hosts on a single port for data inclusion/exclusion it is unable to perform the same differentiation in terms of what the destination index should be! Ridiculous! Even worse, you're saying it can be done based on regex inspection of the content of the data, yet as I've previously illustrated you can do what I'm asking without looking at any of the contents of the incoming data at all!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...