Sourcetypes on UDP syslog data

timmy13 · ‎07-01-2016

When receiving syslog data via UDP:514, is there a way to specify the sourcetype based on the IP address of the device sending the data?

ryanoconnor · ‎07-01-2016

It looks like could possibly work for what you need. You can also look into installing syslog-ng, kiwi syslog, or rsyslog on your server. This would allow for more advanced filtering of data and you could send data to different directories as it was being collected.

From there you could have different monitoring stanzas to look at different directories of data and assign sourcetypes that way. That's probably the cleanest way to do it and the most recommended so that you won't have any data loss in the event that Splunk needs to be restarted or shuts down unexpectedly.

ddrillic · ‎07-01-2016

Interesting related discussion at - Sending certain logs from UDP port 514 to specific indexes

Sourcetypes on UDP syslog data

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation

Sourcetypes on UDP syslog data

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A