Getting Data In

How to configure Splunk to index syslog data from multiple sources?

cbaiocchetti
New Member

Hello. First time I'm posting a question, and a relative newb to Splunk so I apologize up front if this has already been asked and answered, or if this is a silly question.

Currently running latest Splunk on Windows server. I have configured a new data input for Syslog on TCP 514, and have configured the input to receive asm_log files from the F5 device in our environment and this is working just fine.

I would now like to add our RSA Security Management as a second source of Syslog data, but I cannot figure out how to add it to the existing Data Input. If I try to add it through the Web interface, I get the error message that the port is already being used (not a big surprise there).

So can anyone tell me where I am going wrong? Is there a better way to go about receiving data from multiple Syslog sources? Any help would be greatly appreciated, as I am really liking Splunk and this is the first significant problem I have encountered.

Thank you in advance and regards,

Chris

0 Karma

Runals
Motivator

I would second MuS' approach. However my recommendation is if this is going to move into a production state I'd stand up a Linux server to receive syslog data and put a Splunk agent on it to read the output. This gives you some resiliency to hand Splunk restarts/downtime.

MuS
SplunkTrust
SplunkTrust

and to second this as well, here is the related answer about this topic http://answers.splunk.com/answers/144357/why-is-syslog-right-into-splunk-so-bad-wrong.html

MuS
SplunkTrust
SplunkTrust

Hi cbaiocchetti,

the easiest way would be to setup a new UDP port for this new device something like [udp:515] and assign the sourcetype to it. If your new device is not able to send to any different UDP than 514, do so and use some props.conf and transforms.conf voodoo to change the sourcetype to the new one.
Take a look here http://answers.splunk.com/answers/57424/trying-to-override-a-syslog-udp-sourcetype-based-on-a-host-n... to get an idea how it can be done.

cheers, MuS

0 Karma

cbaiocchetti
New Member

Hi, and thanks to you both for the quick replies. Sorry for taking so long to respond.

I think we'll initially use the UDP/conf file solution. Also appreciate the links, and sorry for not finding them myself.

Regards,

Chris

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...