Re: Syslog from multiple devices

7070ithelpdesk · ‎04-24-2013

I have riverbed 10.10.10.1 and barracuda 10.10.10.2 both writing syslog (on UDP 514 which I cannot change) to my Splunk server

all was well when I just had barracuda data as I set a manual UDP data input

UDP 514 sourcetype barracuda

but now I ALSO need a UDP 514 sourcetype riverbed_steelhead

I dont have resource to set up another product to split these in advance of arriving on the Splunk server

any help would really be appreciated

7070ithelpdesk · ‎04-25-2013

I added the sourcetypes below in the props.conf in the folder

C:\Program Files\Splunk\etc\system\default

I then set my UDP 514 input back to the default syslog

an I get no data from my Barracuda

7070ithelpdesk · ‎04-25-2013

Thanks for this

I have quite a few apps installed and each seems to have its own "props.conf" (31 in total) when I seach the Splunk top level folder

I assume the entry has to be in the "main" props.conf

Could you tell me which one to edit

alacercogitatus · ‎04-24-2013

In props.conf, set sourcetype by Host IP.

[host::10.10.10.1] sourcetype=barracuda

[host::10.10.10.2] sourcetype=riverbed_steelhead

http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf

MOberschelp · ‎02-24-2015

I have tried this solution for my problem.

I've set up UDP 514 for sourcetype cisco:asa (most of the syslog hosts are cisco asa's).
But I need syslog for different sourcetypes like cisco:esa:textmail and McAfee Firewall Enterprise (Sidewinder) etc.

I've set up a blank props.conf with the following syntax:
[host::10.1.1.2] sourcetype = cisco.esa.textmail
[host::10.1.1.1] sourcetype = cisco.esa.textmail

But in the search app the sourcetype is still cisco:asa.

What do I have to do additionally?

Syslog from multiple devices

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

IM Landing Page Filter - Now Available

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud