Getting Data In

How to identify type of log delivery

evelenke
Contributor

Hi Splunkers,

we have centralized syslog collector.
Also many hosts deliver logs via UFs directly.
The same index may contain data delivered from UFs and from syslog inputs.
Also we have DB connectors and APIs.
Is it possible to divide data by type of input? Does Splunk have this kind of inspection?

0 Karma

gcusello
Legend

Hi @evelenke,
you should divide them by source field:

  • syslogs have TCP:port or UDP:port;
  • Universal Forwarder have the file or the script or the module;
  • DB-Connect has db... (I'm not sure about this but you can check easily!).

Ciao.
Giuseppe

0 Karma

evelenke
Contributor

Hi @gcusello ,

everything may be custom - You can set index, source and sourcetype in inputs.conf on UF or DB Connect.
In this case you may\should have a big knowledge base and control everything.

I need something more simplistic like IP addresses or actual hostname of a source where logs were delivered from, is there's any option to track this?

0 Karma

gcusello
Legend

Hi @evelenke,
as you said, IP or hostname could be not useful if you can receive from a server both by Universal Forwarder or syslog.
You can easily identify syslogs (TCP:514 or UDP:514) and DB-Connect (db...), the others are different but they always come from Universal Forwarder.
Another way to identify sources from Universal Forwarders is that you surely have also logs from these servers in _internal.

Ciao.
Giuseppe

0 Karma

nickhills
Ultra Champion

source or sourcetype should be the differentiators.

Is this not sufficent for your needs?

If my comment helps, please give it a thumbs up!
0 Karma

evelenke
Contributor

May be custom

0 Karma

nickhills
Ultra Champion

Can you provide some examples?

If my comment helps, please give it a thumbs up!
0 Karma

evelenke
Contributor

You can set index, source and sourcetype in inputs.conf on UF or DB Connect.
In this case you may\should have a big knowledge base and control everything.

I need something more simplistic like IP addresses or actual hostname of a source where logs were delivered from, is there's any option to track this?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...