Hi,
i'd install the "Security Intelligence for Vormetric Data Firewall (TM)" app to our running splunk system and I want to use the predefined tcp://5524 source.
inputs.conf
[tcp://5514]
disabled = false
index = myindex
connection_host = dns
sourcetype = rfc5424_syslog
If i now try to search the sourcetype "rfc5424_syslog" i have no results.
The search about the "source=tcp:5541" shows for the vormetric data the sourcetype "syslog".
Overwrites splunk the sourcetype? Why is it syslog not rfc5424_syslog? In the inputs.conf the sourcetype is correct. Because this issue the Vormetric app doesn't work.
I hope anybody have an idea. Thanks in advance.
Regards Arne
... View more