How to change syslog host to a specific sourcetype...

mrtolu6 · ‎08-02-2016

I'm getting syslog from a specific host in Splunk. How do I create a sourcetype for that host?

twinspop · ‎08-02-2016

I don't recommend trying to change sourcetype after the event has been received. The best way would be to create a separate stanza for the host in question, either by giving it a different port, or specifying the host in a copy of the existing:

[udp://514]
sourcetype = genpop

[udp://specialhost:514]
sourcetype = special

OR

[udp://514]
sourcetype = genpop

[udp://5114]
sourcetype = special_type

MuS · ‎08-02-2016

I second the above approach, but if this is not possible for you to do; here is an example how to re-write the sourcetype based on the hostname https://answers.splunk.com/answers/369375/how-do-i-set-different-source-types-on-one-data-in-1.html this example uses a TCP input but applies to syslog over UDP as well 😉

cheers, MuS

mrtolu6 · ‎08-03-2016

Twinspop,

Which file do i create the stanza in?

twinspop · ‎08-03-2016

You can either edit inputs.conf directly or update via the GUI. Through the GUI, use the More settings area in the UDP definition page to see "restrict to host" to set the 1st type I listed above. For the second type, simple create a new UDP input with a new, unique port. To modify through the CLI using the inputs.conf file, you'd want to find the one your input is already defined in. Possibly in the search or launcher app directory structures, under local.

How to change syslog host to a specific sourcetype?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases