Getting Data In

How to split incomming traffic through UDP 514 ?

calebra05
New Member

Dear All,

I'm totally new to the business, I've never dealt with regex, logs or Splunk, etc.
Some answers can be found on this page to the question (I know) and Splunk has really good documentations as I've seen, but I don't understand exactly what to do.

In my test environment I have a Check Point firewall (OPSec LEA is not an option now) [192.168.10.1] and an Aruba controller [192.168.10.9], both sends syslog only throught port UDP 514 (default and cannot be changed).

In (SplunkWeb) Search & Reporting I see the logs which are being sent to one index (as I configured UDP 514 to write into 'test' index).
My goal is: the firewall's logs go to 'test' index and the controller's logs go to 'test2' index.

/opt/splunk/etc/system/local contains an inputs.conf, which contains:
"
[default]
host = splunk-office

[splunktcp://9997]
connection_host = ip
"

What exactly should I add these lines to inputs.conf (or any other .conf files)?
I don't understand where can I setup that the logs of 192.168.10.1 go to 'test' and the other IP address go to 'test2'.

I would be very pleased if someone could help me step by step.

0 Karma

Dan
Splunk Employee
Splunk Employee

Hi,

It is not as easy as changing something in inputs.conf. While you can specify under any input stanza something like index=test, which will then route any events received on that input to index=test, in your case you only have one input (udp:514) for two data-sources so you'll need a different method. (As an aside, the inputs.conf you posted does not contain the udp 514 listener. There must be another inputs.conf, somewhere in $SPLUNK_HOME/etc/apps//local - likely in $SPLUNK_HOME/etc/apps/launcher/local. These get merged at run-time by Splunk. It's like this so apps and add-ons can supply their own inputs.)

Here are a few options, in order of level of effort:
1) Configure either Aruba or Checkpoint to send syslog to a different port. Create two inputs and set the index per input.
2) Use Splunk props.conf and transforms.conf configuration files to set the index per-event. It is very similar to the example here: http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/Advancedsourcetypeoverrides, however you are updating a different DEST_KEY. You can also reference http://docs.splunk.com/Documentation/Splunk/6.4.2/Indexer/Setupmultipleindexes#Route_specific_events...
3) The best practice for syslog is to setup a separate syslog server (or even a syslog process directly on the Splunk indexer, if your environment is small) instead of sending directly to a Splunk network input. You can just google "Splunk syslog server" and you'll see why and how. For instance: https://answers.splunk.com/answers/28680/universal-forwarder-vs-dedicated-rsyslog-syslog-ng-servers-.... You then use syslog to split Aruba hosts and Checkpoint hosts into separate files, and then Splunk reads each file as an individual input with it's own index specification. While this is more complexity and requires you to learn syslog, it is really the most robust solution.

Good luck!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...