All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using Firesight Syslog Alerting to send syslog data to a Heavy Forwarder

mrtolu6
Path Finder
‎02-22-2017 07:11 AM

Hello,
My Firesight logs currently comes into my search head through the sourcetype=syslogs. I would like my Firesight logs to be changed to the default sourcetype for the Splunk_ta_sourcefire app. Currently I have Firesight sending syslogs data to my heavy fwd through the Firesight syslog alerting. There is no universal fwd installed on the Firesight, Firghsight is sending the log to the Heavy Fowarder which send the logs to the indexers. On the Heavy Fowarder I have the Splunk_ta_sourcefire app installed, I also have this app installed on the search head. What would be the best approach to get the sourcetype to change to the app default sourcetype? Do I need to edit the Splunk_ta_Sourcefire input.conf file and add the IP address of the firesight logs?

0 Karma
Reply

woodcock
Esteemed Legend
‎02-22-2017 07:04 PM

On your syslog server set the sourcetype directly inside whatever inputs.conf file ( local directory, not default ) is sending the logs to the indexers.

0 Karma
Reply

mrtolu6
Path Finder
‎02-24-2017 09:57 AM

a Universal forwarder is not installed on the Firesight host. It sends syslogs directly to the Heavy Forwarder. I'm trying to figue out how I can change the logs Sourcetype on the heavy forwarder. Do I need to edit the inputs.conf file on the Splunk_ta_Sourcefire app? If so what stanza do I put in the inputs.conf file?

0 Karma
Reply

woodcock
Esteemed Legend
‎02-28-2017 04:47 PM

The standard way to do this is to dedicate 1 UDP port to a single sourcetype and then write everything that comes in to that port to a partricular directory that determines both the sourcetype and the host (e.g. '/opt/syslog/firewall/1.2.3.4/blah.log'). Then have splunk monitor that directory for files and set the sourcetype and host based on segments in the path. Check what that app expects the sourcetype to be and then configure your syslog server to use that pathname. Then the TA/App should "just work".

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...