All Apps and Add-ons

Using Firesight Syslog Alerting to send syslog data to a Heavy Forwarder

mrtolu6
Path Finder

Hello,
My Firesight logs currently comes into my search head through the sourcetype=syslogs. I would like my Firesight logs to be changed to the default sourcetype for the Splunk_ta_sourcefire app. Currently I have Firesight sending syslogs data to my heavy fwd through the Firesight syslog alerting. There is no universal fwd installed on the Firesight, Firghsight is sending the log to the Heavy Fowarder which send the logs to the indexers. On the Heavy Fowarder I have the Splunk_ta_sourcefire app installed, I also have this app installed on the search head. What would be the best approach to get the sourcetype to change to the app default sourcetype? Do I need to edit the Splunk_ta_Sourcefire input.conf file and add the IP address of the firesight logs?

0 Karma

woodcock
Esteemed Legend

On your syslog server set the sourcetype directly inside whatever inputs.conf file ( local directory, not default ) is sending the logs to the indexers.

0 Karma

mrtolu6
Path Finder

a Universal forwarder is not installed on the Firesight host. It sends syslogs directly to the Heavy Forwarder. I'm trying to figue out how I can change the logs Sourcetype on the heavy forwarder. Do I need to edit the inputs.conf file on the Splunk_ta_Sourcefire app? If so what stanza do I put in the inputs.conf file?

0 Karma

woodcock
Esteemed Legend

The standard way to do this is to dedicate 1 UDP port to a single sourcetype and then write everything that comes in to that port to a partricular directory that determines both the sourcetype and the host (e.g. '/opt/syslog/firewall/1.2.3.4/blah.log'). Then have splunk monitor that directory for files and set the sourcetype and host based on segments in the path. Check what that app expects the sourcetype to be and then configure your syslog server to use that pathname. Then the TA/App should "just work".

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...