Syslog from multiple devices

7070ithelpdesk · ‎04-24-2013

I have riverbed 10.10.10.1 and barracuda 10.10.10.2 both writing syslog (on UDP 514 which I cannot change) to my Splunk server

all was well when I just had barracuda data as I set a manual UDP data input

UDP 514 sourcetype barracuda

but now I ALSO need a UDP 514 sourcetype riverbed_steelhead

I dont have resource to set up another product to split these in advance of arriving on the Splunk server

any help would really be appreciated

7070ithelpdesk · ‎04-25-2013

I added the sourcetypes below in the props.conf in the folder

C:\Program Files\Splunk\etc\system\default

I then set my UDP 514 input back to the default syslog

an I get no data from my Barracuda

7070ithelpdesk · ‎04-25-2013

Thanks for this

I have quite a few apps installed and each seems to have its own "props.conf" (31 in total) when I seach the Splunk top level folder

I assume the entry has to be in the "main" props.conf

Could you tell me which one to edit

alacercogitatus · ‎04-24-2013

In props.conf, set sourcetype by Host IP.

[host::10.10.10.1] sourcetype=barracuda

[host::10.10.10.2] sourcetype=riverbed_steelhead

http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf

MOberschelp · ‎02-24-2015

I have tried this solution for my problem.

I've set up UDP 514 for sourcetype cisco:asa (most of the syslog hosts are cisco asa's).
But I need syslog for different sourcetypes like cisco:esa:textmail and McAfee Firewall Enterprise (Sidewinder) etc.

I've set up a blank props.conf with the following syntax:
[host::10.1.1.2] sourcetype = cisco.esa.textmail
[host::10.1.1.1] sourcetype = cisco.esa.textmail

But in the search app the sourcetype is still cisco:asa.

What do I have to do additionally?

Syslog from multiple devices

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!