Hello. First time I'm posting a question, and a relative newb to Splunk so I apologize up front if this has already been asked and answered, or if this is a silly question.
Currently running latest Splunk on Windows server. I have configured a new data input for Syslog on TCP 514, and have configured the input to receive asm_log files from the F5 device in our environment and this is working just fine.
I would now like to add our RSA Security Management as a second source of Syslog data, but I cannot figure out how to add it to the existing Data Input. If I try to add it through the Web interface, I get the error message that the port is already being used (not a big surprise there).
So can anyone tell me where I am going wrong? Is there a better way to go about receiving data from multiple Syslog sources? Any help would be greatly appreciated, as I am really liking Splunk and this is the first significant problem I have encountered.
Thank you in advance and regards,
Chris
I would second MuS' approach. However my recommendation is if this is going to move into a production state I'd stand up a Linux server to receive syslog data and put a Splunk agent on it to read the output. This gives you some resiliency to hand Splunk restarts/downtime.
and to second this as well, here is the related answer about this topic http://answers.splunk.com/answers/144357/why-is-syslog-right-into-splunk-so-bad-wrong.html
Hi cbaiocchetti,
the easiest way would be to setup a new UDP port for this new device something like [udp:515]
and assign the sourcetype to it. If your new device is not able to send to any different UDP than 514, do so and use some props.conf
and transforms.conf
voodoo to change the sourcetype to the new one.
Take a look here http://answers.splunk.com/answers/57424/trying-to-override-a-syslog-udp-sourcetype-based-on-a-host-n... to get an idea how it can be done.
cheers, MuS
Hi, and thanks to you both for the quick replies. Sorry for taking so long to respond.
I think we'll initially use the UDP/conf file solution. Also appreciate the links, and sorry for not finding them myself.
Regards,
Chris