I am trying to forward log files from our Aruba Controller to Splunk but not sure how to configure the data input
I set up a data input of UDP port 514 but what should the source type be?
The Aruba Controller has an option for syslog formatting of either CEF or RFC 3164.
Which format is more Splunk friendly?
On Splunk, I installed the Aruba Networks Add-on for Splunk, created the udp:514 data input, specified aruba:syslog as source type and placed it in a wifi index.
On Aruba controller, I forwarded logs to Splunk.
The events in Splunk look different than I'm used to. It may just be because its not from a Windows box. Some events have multiple records in it. It made me thing the data wasn't getting parsed correctly.