I have 3 different log sources sending logs to Splunk from a number of hosts on on udp 514.
Breakdown : WLC (5-6 hosts), ESX(8) and Eqallogic (6). However, so far I am only getting data from WLC hosts.
I am thinking of assigning different udp ports for esx and equallogic hosts to ease categorization on Splunk?
What would be the ideal ports for the above log sources ? Please advise
Any free UDP port > 1024 so that you don't have to run Splunk under a user account with superuser privileges (required to open ports < 1024).
I also try to avoid UDP ports that are the default for common services also.
Also worth considering that you can still send these 3 sourcetypes to the same UDP port(source) and then in your props.conf / transforms.conf have a rule that sets the sourcetype field based on the received data. This would also solve your need for easier categorization.
Example here : http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/Advancedsourcetypeoverrides
Any free UDP port > 1024 so that you don't have to run Splunk under a user account with superuser privileges (required to open ports < 1024).
I also try to avoid UDP ports that are the default for common services also.
Also worth considering that you can still send these 3 sourcetypes to the same UDP port(source) and then in your props.conf / transforms.conf have a rule that sets the sourcetype field based on the received data. This would also solve your need for easier categorization.
Example here : http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/Advancedsourcetypeoverrides
Hi @Damien,
Thanks for your input. I found that list very useful.
In that list 1514 and 1515 is not mentioned, however, I am already using 1514 for meraki. would it be safe to use 1515 for esx hosts?
I am using props.conf / transforms.conf for Equallogic.
The following information assumes the use of a syslog server so that you have wide control of the syslog data as it comes in.
We use the different ports for different indexes and/or sourcetype. We have the ports 51400 through 51499 set aside for those definitions and there doesn't seem to be any conflicts that we have had. That range is nice because it starts with 514 (which is the default syslog port).
In addition, you can set up an additional IP address and use the same port 514 on that IP address and do the same thing. Those are useful for devices/systems that can only use port 514, but you want to use a different source/index/sourcetype/etc.
We have data coming directly to Heavy Forwarder, can we still use the above ports ?/
Yes, these ports should not be in use by anything else. They do not interfere with anything that Splunk uses currently.