We have multiple devices forwarding the logs to Splunk which syslog mechanism and UF, as it's difficult to identify the forward mechanism used for those devices. is there any way to identify the syslog forwarding mechanism on port 514 ?
The logs are forwarded by host is with the 2 mechanism one with syslog configuration at host end using port 514 and the other is with installing the UF on host to forward the logs on port 9997, is there any way to find that host details forwarding by these 2 mechanism.
Hi @MayurMangoli,
a I said, you can use the source field to identify if the source is an udp ot tcp syslog e.g. on port 512 or a file from a Universal Forwarder.
It's more difficoult if you're using a rsyslog or a syslog-ng server to take syslogs because they write syslogs in a file so you cannot distinghuish them.
My hint is to always have a perimeter (e.g. in a lookup or in an external Excel File) containing the monitoring perimeter in which are listed all the host under monitoring and also with the way to ingest logs (e.g. syslog or UF, protocol, port, etc...).
All my projects start with the perimeter definition and analysis, that you can also use to check the data flow status.
Ciao.
Giuseppe
Hi @MayurMangoli,
what do you mean with "syslog mechanism"?
the port and protocol are defined in the source of your events.
The way to ingest syslogs is defined by your architecture.
The forwarders isn't still defined, but I required this feature in Splunk ideas (https://ideas.splunk.com/ideas/EID-I-1731) and it's "under consideration" if you think that's useful, please upvote it.
Ciao.
Giuseppe