I have riverbed 10.10.10.1 and barracuda 10.10.10.2 both writing syslog (on UDP 514 which I cannot change) to my Splunk server
all was well when I just had barracuda data as I set a manual UDP data input
UDP 514 sourcetype barracuda
but now I ALSO need a UDP 514 sourcetype riverbed_steelhead
I dont have resource to set up another product to split these in advance of arriving on the Splunk server
any help would really be appreciated
I added the sourcetypes below in the props.conf in the folder
C:\Program Files\Splunk\etc\system\default
I then set my UDP 514 input back to the default syslog
an I get no data from my Barracuda
Thanks for this
I have quite a few apps installed and each seems to have its own "props.conf" (31 in total) when I seach the Splunk top level folder
I assume the entry has to be in the "main" props.conf
Could you tell me which one to edit
In props.conf, set sourcetype by Host IP.
[host::10.10.10.1]
sourcetype=barracuda
[host::10.10.10.2]
sourcetype=riverbed_steelhead
http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf
I have tried this solution for my problem.
I've set up UDP 514 for sourcetype cisco:asa (most of the syslog hosts are cisco asa's).
But I need syslog for different sourcetypes like cisco:esa:textmail and McAfee Firewall Enterprise (Sidewinder) etc.
I've set up a blank props.conf with the following syntax:
[host::10.1.1.2] sourcetype = cisco.esa.textmail
[host::10.1.1.1] sourcetype = cisco.esa.textmail
But in the search app the sourcetype is still cisco:asa.
What do I have to do additionally?