Hi,
Have just installed SplunkForF5 app. Would like to check on the methods to configure data input for it?
Have you configured a network input listening on port 514 on the Splunk side? By default the app is configured for the following inputs:
[tcp://9998]
sourcetype = asm_log
[monitor:///home/sheyda/SplunkData/asm_full_dos]
disabled = 1
host = sheyda-laptop
host_regex =
host_segment =
index = default
sourcetype = asm_log
[monitor:///home/sheyda/SplunkData/dos_log]
disabled = 1
host = sheyda-laptop
host_regex =
host_segment =
index = default
sourcetype = as
[monitor:///home/sheyda/SplunkData/psm_splunk]
disabled = 1
host = sheyda-laptop
host_regex =
host_segment =
index = default
sourcetype = psm_log
[monitor:///var/log]
disabled = 1
host = sheyda-laptop
host_regex =
host_segment =
index = default
sourcetype =
[tcp://9997]
sourcetype = psm_log
Most of these seem to be very specific to where the application creator was storing their logs.
If you're only going to be sending over Firepass logs using 514/UDP then you could configure inputs.conf like this:
[udp://514]
sourcetype = firepass_log
Tried to send in logs from Firepass on udp 514 but doesn't seem to receive any yet.