Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

inputs.conf - Can we declare multiple sourcetypes depending upon where the origin of the logs is?

paulgo
Explorer
‎12-16-2022 07:29 AM

We're sending logs to SplunkCloud over port 514 using the following stanza in inputs.conf

 

[udp://514]
index=syslog
disabled=false
sourcetype=syslog

 

This works great, however we are now sending more than one type of log this way.  Can we declare multiple sourcetypes depending upon where the origin of the logs is?  For example: if they are from IP address A give it the "firewall" sourcetype and from IP address B give it the "crontab" sourcetype?

 

 

Labels (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-16-2022 07:55 AM

Hi @paulgo,

in general it's a best practice to use one or (better) two Heavy Forwarders (with a Load Balancer)  on premise to ingest the syslogs and then they send the logs to splunk Cloud, so you can configure the syslog receiving as I'll describe below, otherwise, as @richgalloway said, it isn't possible because you need to access the conf files and this isn't possible in Splunk Cloud.

Anyway, on premise, you can create in inputs.conf a dedicated stanza for each ip address choosing a dufferent sourcetype for each but it must be unique.

the only problem is that you must do this only via conf file and not via GUI because Splunk finds the 514 port already used, so you have to create in inputs.conf something like this:

 

[tcp://10.10.10.10:514]
sourcetype = sourcetype1
connection_host = ip

[tcp://10.10.10.11:514]
sourcetype = sourcetype2
connection_host = ip

[tcp://10.10.10.12:514]
sourcetype = sourcetype3
connection_host = ip

 

and restart Splunk on this server.

Otherwise, you have to override the sourcetype value following the instructions at https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/Advancedsourcetypeoverrides#:~:text=You%20ca....

Ciao.

Giuseppe

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-16-2022 07:45 AM

Splunk cannot do that and it is one of the reasons why Best Practice is to send syslog data to a dedicated syslog server (syslog-ng or rsyslog, for example).  The syslog server writes the events to disk files which are monitored by a Universal Forwarder.

Another option is to run the Splunk Connect for Syslog (SC4S) app.  SC4S is a container that runs a configured syslog-ng process that forwards events to Splunk via HEC.  See https://splunkbase.splunk.com/app/4740

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...