Getting Data In

How to split incomming traffic through UDP 514 ?

New Member

Dear All,

I'm totally new to the business, I've never dealt with regex, logs or Splunk, etc.
Some answers can be found on this page to the question (I know) and Splunk has really good documentations as I've seen, but I don't understand exactly what to do.

In my test environment I have a Check Point firewall (OPSec LEA is not an option now) [192.168.10.1] and an Aruba controller [192.168.10.9], both sends syslog only throught port UDP 514 (default and cannot be changed).

In (SplunkWeb) Search & Reporting I see the logs which are being sent to one index (as I configured UDP 514 to write into 'test' index).
My goal is: the firewall's logs go to 'test' index and the controller's logs go to 'test2' index.

/opt/splunk/etc/system/local contains an inputs.conf, which contains:
"
[default]
host = splunk-office

[splunktcp://9997]
connection_host = ip
"

What exactly should I add these lines to inputs.conf (or any other .conf files)?
I don't understand where can I setup that the logs of 192.168.10.1 go to 'test' and the other IP address go to 'test2'.

I would be very pleased if someone could help me step by step.

0 Karma

Splunk Employee
Splunk Employee

Hi,

It is not as easy as changing something in inputs.conf. While you can specify under any input stanza something like index=test, which will then route any events received on that input to index=test, in your case you only have one input (udp:514) for two data-sources so you'll need a different method. (As an aside, the inputs.conf you posted does not contain the udp 514 listener. There must be another inputs.conf, somewhere in $SPLUNKHOME/etc/apps//local - likely in $SPLUNKHOME/etc/apps/launcher/local. These get merged at run-time by Splunk. It's like this so apps and add-ons can supply their own inputs.)

Here are a few options, in order of level of effort:
1) Configure either Aruba or Checkpoint to send syslog to a different port. Create two inputs and set the index per input.
2) Use Splunk props.conf and transforms.conf configuration files to set the index per-event. It is very similar to the example here: http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Advancedsourcetypeoverrides, however you are updating a different DESTKEY. You can also reference http://docs.splunk.com/Documentation/Splunk/6.4.2/Indexer/Setupmultipleindexes#Routespecificeventstoadifferent_index
3) The best practice for syslog is to setup a separate syslog server (or even a syslog process directly on the Splunk indexer, if your environment is small) instead of sending directly to a Splunk network input. You can just google "Splunk syslog server" and you'll see why and how. For instance: https://answers.splunk.com/answers/28680/universal-forwarder-vs-dedicated-rsyslog-syslog-ng-servers-.... You then use syslog to split Aruba hosts and Checkpoint hosts into separate files, and then Splunk reads each file as an individual input with it's own index specification. While this is more complexity and requires you to learn syslog, it is really the most robust solution.

Good luck!

0 Karma