Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Syslog from multiple devices

7070ithelpdesk
New Member
‎04-24-2013 09:49 AM

I have riverbed 10.10.10.1 and barracuda 10.10.10.2 both writing syslog (on UDP 514 which I cannot change) to my Splunk server

all was well when I just had barracuda data as I set a manual UDP data input

UDP 514 sourcetype barracuda

but now I ALSO need a UDP 514 sourcetype riverbed_steelhead

I dont have resource to set up another product to split these in advance of arriving on the Splunk server

any help would really be appreciated

Tags (1)
0 Karma
Reply

7070ithelpdesk
New Member
‎04-25-2013 02:42 AM

I added the sourcetypes below in the props.conf in the folder

C:\Program Files\Splunk\etc\system\default

I then set my UDP 514 input back to the default syslog

an I get no data from my Barracuda

0 Karma
Reply

7070ithelpdesk
New Member
‎04-25-2013 02:39 AM

Thanks for this

I have quite a few apps installed and each seems to have its own "props.conf" (31 in total) when I seach the Splunk top level folder

I assume the entry has to be in the "main" props.conf

Could you tell me which one to edit

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎04-24-2013 10:11 AM

In props.conf, set sourcetype by Host IP.

[host::10.10.10.1]
sourcetype=barracuda

[host::10.10.10.2]
sourcetype=riverbed_steelhead

http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf

Reply

MOberschelp
Explorer
‎02-24-2015 12:57 AM

I have tried this solution for my problem.

I've set up UDP 514 for sourcetype cisco:asa (most of the syslog hosts are cisco asa's).
But I need syslog for different sourcetypes like cisco:esa:textmail and McAfee Firewall Enterprise (Sidewinder) etc.

I've set up a blank props.conf with the following syntax:
[host::10.1.1.2] sourcetype = cisco.esa.textmail
[host::10.1.1.1] sourcetype = cisco.esa.textmail

But in the search app the sourcetype is still cisco:asa.

What do I have to do additionally?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...