Getting Data In
Highlighted

Is it normal to have both sourcetype UDP:514 and sourcetype syslog?

Explorer

Hello,

My colleague configured 1 heavy forwarder and I configured the other 2. In my Splunk, I see both sourcetype UDP:514 and sourcetype syslog.

Is this normal, or did we set different sourcetypes when we set them up?

We used the CLI and when I check \splunk\home\etc\local\inputs.conf the file has almost nothing in it, except the host...

Can someone tell me where I can go to compare on the 2 systems if we have set different sourcetypes?

Thanks,

0 Karma
Highlighted

Re: Is it normal to have both sourcetype UDP:514 and sourcetype syslog?

Splunk Employee
Splunk Employee

Best practice for ingesting syslog data is to send it to a syslog/syslog-ng server, which writes to directories/files and have a universal forwarder monitor those files. Only this approach allows you to assign proper sourctypes to your log data. "syslog" is not a very meaningful sourcetype, when users want to try and find logs from firewalls, IPSs, switches, etc.

Having said that: You can run a search to identify which of your HFs is sending which sourcetype and then check your configuration on the relevant server.
You can also run

./splunk cmd btool inputs list --debug

to list out all configuration settings for inputs.conf and it will tell you which configuration file it was taken from.

0 Karma