Getting Data In
Highlighted

syslog indexing

Communicator

However at this point I am getting logs from syslog data source and they are saved at /central/$hostname$/gateway.log
I install the UF on syslog server and below is my inputs.conf file.

[root@sysxx ~]# cat /opt/splunkforwarder/etc/system/local/inputs.conf

[default]

[monitor:///cental/gateway/]
index = sophos
sourcetype = sophos:utm:firewall
disabled = 0

All my logs are going to main index.
If I move index and sourcetype parameter above to [monitor:///cental/gateway/] then I can see the logs under index=sophos.

how can I solve this.

in future I will have logs from more data sources and I want to index them under different index name.

0 Karma
Highlighted

Re: syslog indexing

SplunkTrust
SplunkTrust

I did not understand your question. If you put index = sophos sourcetype = sophos:utm:firewall data will go to sophos otherwise it will go to default index called main.

0 Karma
Highlighted

Re: syslog indexing

Communicator

let me explain in more detail:
1- I have one syslog server where all the network devices sending logs and that logs are saving at
/central/$hostname$/$hostname$.log
2- I install UF on that syslog server and configure it to send logs to HF.
3- with this config(as shown above), all logs are going to main index.

Interestingly, when I define index on top(before [monitor:///cental/gateway/]), the logs are getting saved in index=Sophos.

=========================================

I just experiment this on my workstation. my workstation is also sending logs to splunk.
below is my input.conf file.

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
index = os_xx1
disabled = 0

with that, the logs are not getting saved in index = os_xx1.

BUT WHEN I CHAGNE props.conf and transforms.conf, the logs are going to right index.
below is props.conf and transforms.conf:
props.conf
[WinEventLog:Security]
TRANSFORMS-Windows = windows_security

[WinEventLog://Microsoft-Windows-Sysmon/Operational]

TRANSFORMS-Windows = windows_sysmon

transforms.conf
[windowssecurity]
REGEX = (.*)
FORMAT = os
xx1
WRITE_META = true

[windowssysmon]
REGEX = (.*)
FORMAT = os
xx1
WRITE_META = true

========================================================

0 Karma
Highlighted

Re: syslog indexing

Communicator
0 Karma
Highlighted

Re: syslog indexing

SplunkTrust
SplunkTrust

Hi riqbal, I think part of the issue might be related to some additional config you aren't aware of. Try running btool to get an view of all the inputs config. A usage example is:

/opt/splunk/bin/splunk btool --debug inputs list

This will give you a rolled up view of all inputs config.

Additionally, you can look at inputs config from Splunk with this app I made for this purpose : https://splunkbase.splunk.com/app/3923/

Although it seems less likely, there could also be some props.conf config causing issues (rewriting the index config), but I think doing a thorough examination of the inputs config at each step will be the most helpful thing to do.

Please let me know if this helps!

0 Karma