Hi All,
New to Splunk> and trying to wrap my head around things... I have a host (it's a Linux Firewall/IDS) that is transmitting all syslog data to my Splunk server. I'm really only concerned about the iptables drops and snort alerts.
I've entered the following in inputs.conf:
[udp://192.168.1.1:514]
sourcetype = snort
[udp://192.168.2.1:514]
sourcetype = snort
*not sure if this is correct...
In my reading of the Splunk docs, it seems that I now need to do something with props.conf so that I can parse the incoming syslog data for snort and iptables logs.
Am I right or totally off? Any help would be great!
Thanks!
Justin
... View more