Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What tips or documentation can help me with a first time Splunk setup of three different types of syslog coming in: Firewall, Windows and Linux?

batsona
Engager
‎12-16-2014 11:12 AM

Greetings -- Long time user, first-time SysAdmin (of SPLUNK) I'm sure this is documented, but can someone point me to the specific info I need, or supply some tips? I can read about all this just fine, if someone can point me at the specific docs needed...

1.) I have three different types of Syslog coming in; Firewall, Windows, and Linux. I guess this means I need three different SourceTypes, so a different set of Interesting Fields is pulled out for each? How do I create 3 custom SourceTypes each with its own set of Interesting Fields...?

2.) I need to store the raw syslog data for my Firewalls, Windows & Linux machines on the SPLUNK server, so it can be viewed by auditors. How do I configure that? --How can I configure aging / archiving of these syslog entries? (three different directory paths for three different types of syslog)

3.) I currently am using one SourceType, and I have a single firewall using it. I'm displaying way more Interesting Fields than what I need. For instance, I'm displaying "hours", and all my entries have 24 values (zero through 23) ; this is useless. How can I get SPLUNK to stop spinning CPU cycles, indexing data on useless fields? There's a good chance I'll be forced to do this on a Virtual Machine, so I only want SPLUNK spending I/O on fields that I say are interesting...

THanks!

Reply

trsavela
Path Finder
‎01-21-2015 10:12 AM

1) I use syslog as the source type. I use host_regex in the inputs to properly set the host name, all the logs have the server name included. I use a transform to add a friendly log name base of the source, not necessary bu some of my user find this handy.

2) You want to manage your buckets to move data. I use volumes to keep relevant data on fast disk and aged data goes to slow disk.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Configureindexstoragesize

3) You want to make sure you have the right search mode selected, fast is your friend.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Search/Changethesearchmode

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...