Splunk's best practice is to write the networking device's logs to a intermediary syslog server (this is to ensure continuous availability of network devices logs irrespective of availability of splunk servers) , you may use syslog-ng or rsyslog - so have a syslog server configure the cyberoam device to start sending the logs to syslog server's IP address check if the logs are being written to syslog or not if the logs are coming, then install the splunk universal forwarder on that syslog server which shall monitor these logs/directory and send them to your indexer IP on port 9997 with sourcetype: cyberoam & Index : *custom* Monitor files and directories with inputs.conf (https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Monitorfilesanddirectorieswithinputs.conf) Install Cyberoam addon on your splunk instances for automatic field extractions search for index=* sourcetype=cyberoam ===== Another direct approach can be - a. configure the device to send logs directly to your indexer IP address on UDP 514 b. have the addon installed on your instances of splunk c. open the port UDP:514 on splunk and on your splunk server's OS firewall Input Type : UDP Port Port Number : 514 Source name override : N/A Restrict to Host : give IP of your device (1.2.3.4) Source Type: cyberoam App Context : search Host : (IP address of the remote server) Index : create new > cyberoam d. ensure that there is no other device which might be blocking this data movement e. search for index=* sourcetype=cyberoam ... View more