Hi everyone,
In my environment, we are collecting logs from several types of devices on a syslog server, then forwarding the data to the indexers. Most of the data comes into the syslog server on port 514. We have brocade, juniper, f5, cisco, bluecoat, and some others. This example I found to use syslog-ng with Splunk I think is fantastic: https://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk.html
Essentially, the configuration takes the incoming data and automatically separates the data by device type. So the syslog server would put juniper into /logs/juniper, brocade into /logs/brocade, f5 into /logs/f5, etc. Then I could just create an input stanza in Splunk that says anything /juniper tag with the juniper sourcetype, /brocade gets brocade sourcetype, etc.
This is exactly what we would want. My question though, which comes from a lack of understanding syslog in depth, is how would we take all of this different data coming into syslog on port 514 and have syslog automatically determine what type of device the data is coming from? In the example, it looks like that might be what the filters are doing... but if that's true, how would I figure out a filter to identify each device type's data?
Oh and I should add that each device type is using the same standard syslog format I believe, and when looking at the different data, there didn't seem to be any key indicators that identifies what type of device the data is coming from.
... View more