Getting Data In

syslog indexing

riqbal
Communicator

However at this point I am getting logs from syslog data source and they are saved at /central/$hostname$/gateway.log
I install the UF on syslog server and below is my inputs.conf file.

[root@sysxx ~]# cat /opt/splunkforwarder/etc/system/local/inputs.conf

[default]

[monitor:///cental/gateway/]
index = sophos
sourcetype = sophos:utm:firewall
disabled = 0

All my logs are going to main index.
If I move index and sourcetype parameter above to [monitor:///cental/gateway/] then I can see the logs under index=sophos.

how can I solve this.

in future I will have logs from more data sources and I want to index them under different index name.

0 Karma

muebel
SplunkTrust
SplunkTrust

Hi riqbal, I think part of the issue might be related to some additional config you aren't aware of. Try running btool to get an view of all the inputs config. A usage example is:

/opt/splunk/bin/splunk btool --debug inputs list

This will give you a rolled up view of all inputs config.

Additionally, you can look at inputs config from Splunk with this app I made for this purpose : https://splunkbase.splunk.com/app/3923/

Although it seems less likely, there could also be some props.conf config causing issues (rewriting the index config), but I think doing a thorough examination of the inputs config at each step will be the most helpful thing to do.

Please let me know if this helps!

0 Karma

mayurr98
Super Champion

I did not understand your question. If you put index = sophos sourcetype = sophos:utm:firewall data will go to sophos otherwise it will go to default index called main.

0 Karma

riqbal
Communicator

let me explain in more detail:
1- I have one syslog server where all the network devices sending logs and that logs are saving at
/central/$hostname$/$hostname$.log
2- I install UF on that syslog server and configure it to send logs to HF.
3- with this config(as shown above), all logs are going to main index.

Interestingly, when I define index on top(before [monitor:///cental/gateway/]), the logs are getting saved in index=Sophos.

=========================================

I just experiment this on my workstation. my workstation is also sending logs to splunk.
below is my input.conf file.

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
index = os_xx1
disabled = 0

with that, the logs are not getting saved in index = os_xx1.

BUT WHEN I CHAGNE props.conf and transforms.conf, the logs are going to right index.
below is props.conf and transforms.conf:
props.conf
[WinEventLog:Security]
TRANSFORMS-Windows = windows_security

[WinEventLog://Microsoft-Windows-Sysmon/Operational]

TRANSFORMS-Windows = windows_sysmon

transforms.conf
[windows_security]
REGEX = (.*)
FORMAT = os_xx1
WRITE_META = true

[windows_sysmon]
REGEX = (.*)
FORMAT = os_xx1
WRITE_META = true

========================================================

0 Karma

riqbal
Communicator
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...