Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use one or two TCP/UDP ports for two different sources of Syslog if I want them in separate sourcetypes

kashyap2702
New Member
‎08-30-2017 05:01 AM

In my app, I want Syslog from two different sources in two different sourcetypes (since they both are of different types). I have two options for this:
- enable two ports and assign different sourcetypes to both
- collect them on single port and assign different sourcetypes using regex (will require much analysis of logs)

What is the recommended approach ?

Thanks,
Kashyap

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎08-30-2017 11:12 AM

The best practice approach for syslog collection is to send your log data to a syslog server, apply proper policies in syslog server to write to separate files/folder and use a Universal Forwarder on the syslog server to process the log files the splunky way.

Note that if you send syslog to a Splunk listener, you will lose data every time you have to restart Splunk, e.g. to apply configuration changes. Plus, as you are just finding out, you have to have a separate port for each sourcetype, which gets messy quickly.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-04-2017 10:31 AM

Always use distinct (in this case 2) ports. Then you can debug problems from the outside using OS tools, too.
If you are stuck using a single port then you should use this project and help contribute to the auto-sourcetypeing RegEx list:
https://github.com/splunk/splunk-connect-for-syslog/wiki

0 Karma
Reply
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎08-30-2017 11:12 AM

The best practice approach for syslog collection is to send your log data to a syslog server, apply proper policies in syslog server to write to separate files/folder and use a Universal Forwarder on the syslog server to process the log files the splunky way.

Note that if you send syslog to a Splunk listener, you will lose data every time you have to restart Splunk, e.g. to apply configuration changes. Plus, as you are just finding out, you have to have a separate port for each sourcetype, which gets messy quickly.

0 Karma
Reply
Solved! Jump to solution

gcusello
Esteemed Legend
‎08-30-2017 07:28 AM

Hi kashyap2702,
if you can I'd prefer the first.
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...