Hello,
My colleague configured 1 heavy forwarder and I configured the other 2. In my Splunk, I see both sourcetype UDP:514 and sourcetype syslog.
Is this normal, or did we set different sourcetypes when we set them up?
We used the CLI and when I check \splunk\home\etc\local\inputs.conf the file has almost nothing in it, except the host...
Can someone tell me where I can go to compare on the 2 systems if we have set different sourcetypes?
Thanks,
Best practice for ingesting syslog data is to send it to a syslog/syslog-ng server, which writes to directories/files and have a universal forwarder monitor those files. Only this approach allows you to assign proper sourctypes to your log data. "syslog" is not a very meaningful sourcetype, when users want to try and find logs from firewalls, IPSs, switches, etc.
Having said that: You can run a search to identify which of your HFs is sending which sourcetype and then check your configuration on the relevant server.
You can also run
./splunk cmd btool inputs list --debug
to list out all configuration settings for inputs.conf and it will tell you which configuration file it was taken from.