Dear,
I configured the inputs.conf of the palo alto app exactly as the documentation.
However, in addition to the palo alto logs, I get other logs via udp: 514. The configuration in inputs.conf is forwarding all logs via 514 to the pan: log sourcetype.
How could I change only the high-pit logs to the sourcetype pan: log?
https://answers.splunk.com/answers/205815/how-to-configure-different-sourcetypes-for-udp-por.html
You can use the following in your inputs.conf
[udp://SOURCE_IP:PORT]
Three options:
Best: let a dedicated syslog daemon receive the data, write to disk, let a universal forwarder read the log files and assign sourcetypes per file.
Bad: make each source use a distinct port.
Bad: keep all sources at one port, define props/transforms to rewrite source types, index, etc based on the event, host, etc.
Hi,
I am pretty certain, that splunk can handle one sourcetype for one UDP:Port input.
I think a dedicated syslog server could deal with this though.