Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Syslog from multiple devices

7070ithelpdesk
New Member
‎04-24-2013 09:49 AM

I have riverbed 10.10.10.1 and barracuda 10.10.10.2 both writing syslog (on UDP 514 which I cannot change) to my Splunk server

all was well when I just had barracuda data as I set a manual UDP data input

UDP 514 sourcetype barracuda

but now I ALSO need a UDP 514 sourcetype riverbed_steelhead

I dont have resource to set up another product to split these in advance of arriving on the Splunk server

any help would really be appreciated

Tags (1)
0 Karma
Reply

7070ithelpdesk
New Member
‎04-25-2013 02:42 AM

I added the sourcetypes below in the props.conf in the folder

C:\Program Files\Splunk\etc\system\default

I then set my UDP 514 input back to the default syslog

an I get no data from my Barracuda

0 Karma
Reply

7070ithelpdesk
New Member
‎04-25-2013 02:39 AM

Thanks for this

I have quite a few apps installed and each seems to have its own "props.conf" (31 in total) when I seach the Splunk top level folder

I assume the entry has to be in the "main" props.conf

Could you tell me which one to edit

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎04-24-2013 10:11 AM

In props.conf, set sourcetype by Host IP.

[host::10.10.10.1]
sourcetype=barracuda

[host::10.10.10.2]
sourcetype=riverbed_steelhead

http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf

Reply

MOberschelp
Explorer
‎02-24-2015 12:57 AM

I have tried this solution for my problem.

I've set up UDP 514 for sourcetype cisco:asa (most of the syslog hosts are cisco asa's).
But I need syslog for different sourcetypes like cisco:esa:textmail and McAfee Firewall Enterprise (Sidewinder) etc.

I've set up a blank props.conf with the following syntax:
[host::10.1.1.2] sourcetype = cisco.esa.textmail
[host::10.1.1.1] sourcetype = cisco.esa.textmail

But in the search app the sourcetype is still cisco:asa.

What do I have to do additionally?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk + Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...

Data Management Digest – January 2026

Welcome to the January 2026 edition of Data Management Digest! Welcome to the January 2026 edition of Data ...

Splunk SOAR Now Available on Google Cloud Platform

We’re excited to announce that Splunk SOAR is now natively available as a SaaS solution on Google Cloud ...