I have logs coming from different sources like juniper IDS, cisco firewall, bluecoat proxy, nessus etc. Currently I have sample logs from these sources and these are present on my local system. I want to forward/upload these logs to Splunk Enterprise Security and check different dashboards.
I have read in Splunk documentations that the logs must be having correct sourcetypes so that splunk can properly index it and perform efficient search. The problem which I am facing is how to forward these logs to Splunk with correct sourcetypes so that these are processed by Enterprise Security.
I have already tried following things
Edited the inputs.conf file. But the challenge is to determine the source type for each inputs.
Forwarded the logs to TCP/UDP port 514. But again the problem is to determine the source types.
My question is
How to forward/upload the logs from different sources to Splunk along with the correct source types so that it is detected by various apps like Splunk Enterprise Security?
Can Splunk automatically identifies the sourcetypes on seeing the logs?
What considerations should be taken while forwarding logs for analysis using Splunk Enterprise Security?
... View more