I'm trying to setup Splunk for Cisco Firewalls
I am trying to setup 2 things here:
1. the UDP Syslog input on my forwarder and not the splunk indexer where the app is installed.
2. separate out the indexes for certain high volume firewalls/devices.
i found this article [http://answers.splunk.com/answers/75939/split-syslog-udp514-from-multi-hosts-to-multi-indexes] on how to accomplish separating the index out. I already see tons of entries in the props.conf and transforms.conf and i don't want to break the app in the process.
i am also not sure how to setup this whole thing using a forwarder in between. I have experience setting up other apps, but they have portions that usually get deployed out to a forwarder.
thanks
Gd.
In index.conf on the universal forwarder machine create a different udp port for each firewall. Send to that port from the firewall that belongs to that index.
[udp://portfromfirewall]
connection_host = ip
index = index_you_want_to_send_to
sourcetype = your_Sourcetype
In your outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = yoursplunkserver:9997
[tcpout-server://yoursplunkserver:9997]