Getting Data In

How to configure Splunk to distinguish different types of logs from syslog and save them in different indexes on a Splunk Indexer?

charlescywong
New Member

I have just installed a Splunk App where the logs are from some appliances, so obviously they are sending syslog to our Splunk Indexer. However, this Splunk App is only suitable for analyzing specific logs of one of the vendor appliances (vendor specific Splunk App). So, the problem is that I configured all my network devices (i.e. switch, router, firewall, etc) to send syslog to our Splunk Indexer where the Splunk Indexer stores these logs in the "main" Index.

So, how do I tell the newly installed Splunk App to only capture the "needed" logs to perform analysis from the pool of logs in the "Main" index? (The "need to analyze" logs are in the pool of logs stored in "Main" Index)

Tags (3)
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi charlescywong,

another approach is to re-write the sourcetype of your syslog inputs based on the hostname in the events. This will allow you to send everything over syslog and still have those vendor specific syslog source types in the events.

You can achieve this by using props.conf and transforms.conf on your Splunk instance which does the parsing (Either an Indexer or a heavy weight forwarder).

This example will re-write the sourcetype for events which were send from the host CiscoNetWorkDevice to be cisco_syslog:

props.conf:

[syslog]
TRANSFORMS-001_syslog_set_sourcetype = 001_syslog_set_sourcetype

transforms.conf:

[001_syslog_set_sourcetype]
SOURCE_KEY = MetaData:Host
REGEX = CiscoNetWorkDevice
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::cisco_syslog

Hope this helps and you can get this working ...

cheers, MuS

0 Karma

charlescywong
New Member

Does this mean re-direct the syslog from CiscoNetworkDevice to cisco_syslog while data is getting into the Splunk Indexer?

0 Karma

MuS
SplunkTrust
SplunkTrust

It's not really re-direct, the sourcetype will be changed from syslog to cisco_syslog but only for events from host CiscoNetWorkDevice everything else stays sourcetype syslog. You can setup multiple transforms to re-wirte the source types for other devices as well.
Done that multiple times and works perfect.

0 Karma

ddrillic
Ultra Champion

The categorization of data is done via the index and the sourcetype. If you deal with syslogs, you better check whether your logs conform to the pretrained syslogs described at List of pretrained source types

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...