We have the switches configured to send via Kiwi syslog - the syslog server is also installed on the Splunk server. We have the Data Inputs in Splunk listening on 514 TCP and UDP, with a source type of syslog. TCP is also listening on 601 with a source type of cisco_syslog. The switch shows (show logging command): Syslog logging: enabled Trap Logging Informational, 245 message lines logged Logging to <Splunk/KiwiIP> (udp port 514, audit disabled, link up) ... Logging to <Splunk/KiwiIP> (tcp port 601, audit disabled, link up) ...
... View more