All Apps and Add-ons

Customize inputs.conf Palo Alto - Multiple sources udp:514

wvalente
Explorer

Dear,

I configured the inputs.conf of the palo alto app exactly as the documentation.

However, in addition to the palo alto logs, I get other logs via udp: 514. The configuration in inputs.conf is forwarding all logs via 514 to the pan: log sourcetype.

How could I change only the high-pit logs to the sourcetype pan: log?

0 Karma

panguy
Contributor

https://answers.splunk.com/answers/205815/how-to-configure-different-sourcetypes-for-udp-por.html

You can use the following in your inputs.conf

[udp://SOURCE_IP:PORT]
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Three options:

Best: let a dedicated syslog daemon receive the data, write to disk, let a universal forwarder read the log files and assign sourcetypes per file.

Bad: make each source use a distinct port.

Bad: keep all sources at one port, define props/transforms to rewrite source types, index, etc based on the event, host, etc.

0 Karma

dkeck
Influencer

Hi,

I am pretty certain, that splunk can handle one sourcetype for one UDP:Port input.

I think a dedicated syslog server could deal with this though.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...