I'm totally new to the business, I've never dealt with regex, logs or Splunk, etc.
Some answers can be found on this page to the question (I know) and Splunk has really good documentations as I've seen, but I don't understand exactly what to do.
In my test environment I have a Check Point firewall (OPSec LEA is not an option now) [192.168.10.1] and an Aruba controller [192.168.10.9], both sends syslog only throught port UDP 514 (default and cannot be changed).
In (SplunkWeb) Search & Reporting I see the logs which are being sent to one index (as I configured UDP 514 to write into 'test' index).
My goal is: the firewall's logs go to 'test' index and the controller's logs go to 'test2' index.
/opt/splunk/etc/system/local contains an inputs.conf, which contains:
host = splunk-office
connection_host = ip
What exactly should I add these lines to inputs.conf (or any other .conf files)?
I don't understand where can I setup that the logs of 192.168.10.1 go to 'test' and the other IP address go to 'test2'.
I would be very pleased if someone could help me step by step.
It is not as easy as changing something in inputs.conf. While you can specify under any input stanza something like index=test, which will then route any events received on that input to index=test, in your case you only have one input (udp:514) for two data-sources so you'll need a different method. (As an aside, the inputs.conf you posted does not contain the udp 514 listener. There must be another inputs.conf, somewhere in $SPLUNKHOME/etc/apps//local - likely in $SPLUNKHOME/etc/apps/launcher/local. These get merged at run-time by Splunk. It's like this so apps and add-ons can supply their own inputs.)