Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Syslog from multiple devices

7070ithelpdesk
New Member
‎04-24-2013 09:49 AM

I have riverbed 10.10.10.1 and barracuda 10.10.10.2 both writing syslog (on UDP 514 which I cannot change) to my Splunk server

all was well when I just had barracuda data as I set a manual UDP data input

UDP 514 sourcetype barracuda

but now I ALSO need a UDP 514 sourcetype riverbed_steelhead

I dont have resource to set up another product to split these in advance of arriving on the Splunk server

any help would really be appreciated

Tags (1)
0 Karma
Reply

7070ithelpdesk
New Member
‎04-25-2013 02:42 AM

I added the sourcetypes below in the props.conf in the folder

C:\Program Files\Splunk\etc\system\default

I then set my UDP 514 input back to the default syslog

an I get no data from my Barracuda

0 Karma
Reply

7070ithelpdesk
New Member
‎04-25-2013 02:39 AM

Thanks for this

I have quite a few apps installed and each seems to have its own "props.conf" (31 in total) when I seach the Splunk top level folder

I assume the entry has to be in the "main" props.conf

Could you tell me which one to edit

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎04-24-2013 10:11 AM

In props.conf, set sourcetype by Host IP.

[host::10.10.10.1]
sourcetype=barracuda

[host::10.10.10.2]
sourcetype=riverbed_steelhead

http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf

Reply

MOberschelp
Explorer
‎02-24-2015 12:57 AM

I have tried this solution for my problem.

I've set up UDP 514 for sourcetype cisco:asa (most of the syslog hosts are cisco asa's).
But I need syslog for different sourcetypes like cisco:esa:textmail and McAfee Firewall Enterprise (Sidewinder) etc.

I've set up a blank props.conf with the following syntax:
[host::10.1.1.2] sourcetype = cisco.esa.textmail
[host::10.1.1.1] sourcetype = cisco.esa.textmail

But in the search app the sourcetype is still cisco:asa.

What do I have to do additionally?

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...