|
Hi everyone, I have a question about setting up Splunk to record syslog messages from 2 different syslog servers. I am using the basic Splunk - no extra licenses - and its running on Windows 7 64bit. Here is my setup: I have a border router, and its inside IP address is 10.0.0.1. Behind the border router I have an ASA 5505 for the firewall - its inside IP is 192.168.1.1. I want to collect the syslog messages from both of these devices. I am using UDP 514 for Syslog on both the router and firewall. I am able to set up Splunk to listen and record everything that is coming into UDP 514.....which gives me the syslog data for both the router and firewall all mixed together. I would prefer if I could have Splunk listen for and record syslog for my router.....and separately, listen to and record syslog data from my firewall. That way I could have labels on each - one for the router, and one for the firewall, which would make it easier to distinguish between the router and firewall's syslog messages. The problem is I cant figure out how to set it up to do this. About the only thing I can think of is to keep the router's syslog coming from UDP 514, while changing the firewall so it uses a different UDP port for syslog. IS that the only option that I have? Or is there a more elegant solution out there? Thanks in advance for your help.... Mike |
|
You can take the UDP input and separate those formats into separate sourcetypes. http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides This previous answer will probably be helpful to you. Different sourcetypes for different syslog hosts? on Splunk Answers |