Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

multiple syslog servers question

boeckelr
New Member
‎05-29-2012 10:50 AM

Hi everyone,

I have a question about setting up Splunk to record syslog messages from 2 different syslog servers.

I am using the basic Splunk - no extra licenses - and its running on Windows 7 64bit.

Here is my setup:

I have a border router, and its inside IP address is 10.0.0.1.

Behind the border router I have an ASA 5505 for the firewall - its inside IP is 192.168.1.1.

I want to collect the syslog messages from both of these devices. I am using UDP 514 for Syslog on both the router and firewall.

I am able to set up Splunk to listen and record everything that is coming into UDP 514.....which gives me the syslog data for both the router and firewall all mixed together.

I would prefer if I could have Splunk listen for and record syslog for my router.....and separately, listen to and record syslog data from my firewall. That way I could have labels on each - one for the router, and one for the firewall, which would make it easier to distinguish between the router and firewall's syslog messages.

The problem is I cant figure out how to set it up to do this.

About the only thing I can think of is to keep the router's syslog coming from UDP 514, while changing the firewall so it uses a different UDP port for syslog.

IS that the only option that I have? Or is there a more elegant solution out there?

Thanks in advance for your help....

Mike

Tags (2)
0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎05-29-2012 11:01 AM

You can take the UDP input and separate those formats into separate sourcetypes.

http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides

This previous answer will probably be helpful to you.

http://splunk-base.splunk.com/answers/6917/different-sourcetypes-for-different-syslog-hosts

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...