I am trying to integrate few servers into Splunk. The servers send syslog data only. Earlier I was having two servers(log sources), so I made the input traffic to come on port 514 and 515 . I used two port to get two host names in the logs. But now the servers count is about 5 servers and I dont feel like giving another 5 separate ports to this 5 servers for getting different host name.
I want to use single port say port 514 as input to my HF for n number of server, and get the n distinguish HOSTs. Can I anyone suggest how can I acheive this in splunk.
Hi @ dikshaj,
if you want to ingest syslogs from only a set of servers, you have to follo indications of @nickhills.
If instead you want to ingest syslogs from all the servers, the easiest way to ingest syslogs from different servers is to receive all of them on the same port and then override host value using a regex.
In other words, on Heavy Forwarder you have to add a props.conf stanza (located in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/) like this:
[your_sourcetype]
TRANSFORMS-override_host = override_host
and in a transforms.conf stanza:
[override_host]
REGEX = <your_regex>
FORMAT = host::$1
DEST_KEY = MetaData:Host
Usually syslogs of all servers have hostname after the timestamp and/or IP address, to be more sure check this regex (if you want share an example and I can help).
For more infos see at https://docs.splunk.com/Documentation/SplunkCloud/8.0.1/Data/Overridedefaulthostassignments .
Ciao.
Giuseppe
Could you not use Rsyslog - if I understand the question - you want the syslog to create unique host information ?
$template RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log"
Then apply this template to messages coming from remote hosts :
$RuleSet remote
. ?RemoteHost
Then have Splunk then monitor the entire /var/syslog/hosts/
Take a look here:
https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/Monitornetworkports
Specifically "Specify input settings"
If you are configuring using inputs.conf you should add:
connection_host = ip | dns | none
"ip" sets the host to the IP address of the remote server.
"dns" sets the host to the DNS entry of the remote server.
"none" leaves the host as specified - ie your HF
Can you look into below answer
https://answers.splunk.com/answers/489248/what-is-the-best-way-to-approach-multiple-udp-sysl.html