Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

What tips or documentation can help me with a first time Splunk setup of three different types of syslog coming in: Firewall, Windows and Linux?

batsona
Engager
‎12-16-2014 11:12 AM

Greetings -- Long time user, first-time SysAdmin (of SPLUNK) I'm sure this is documented, but can someone point me to the specific info I need, or supply some tips? I can read about all this just fine, if someone can point me at the specific docs needed...

1.) I have three different types of Syslog coming in; Firewall, Windows, and Linux. I guess this means I need three different SourceTypes, so a different set of Interesting Fields is pulled out for each? How do I create 3 custom SourceTypes each with its own set of Interesting Fields...?

2.) I need to store the raw syslog data for my Firewalls, Windows & Linux machines on the SPLUNK server, so it can be viewed by auditors. How do I configure that? --How can I configure aging / archiving of these syslog entries? (three different directory paths for three different types of syslog)

3.) I currently am using one SourceType, and I have a single firewall using it. I'm displaying way more Interesting Fields than what I need. For instance, I'm displaying "hours", and all my entries have 24 values (zero through 23) ; this is useless. How can I get SPLUNK to stop spinning CPU cycles, indexing data on useless fields? There's a good chance I'll be forced to do this on a Virtual Machine, so I only want SPLUNK spending I/O on fields that I say are interesting...

THanks!

Reply

trsavela
Path Finder
‎01-21-2015 10:12 AM

1) I use syslog as the source type. I use host_regex in the inputs to properly set the host name, all the logs have the server name included. I use a transform to add a friendly log name base of the source, not necessary bu some of my user find this handy.

2) You want to manage your buckets to move data. I use volumes to keep relevant data on fast disk and aged data goes to slow disk.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Configureindexstoragesize

3) You want to make sure you have the right search mode selected, fast is your friend.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Search/Changethesearchmode

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...