Hi everyone,
I have a question about setting up Splunk to record syslog messages from 2 different syslog servers.
I am using the basic Splunk - no extra licenses - and its running on Windows 7 64bit.
Here is my setup:
I have a border router, and its inside IP address is 10.0.0.1.
Behind the border router I have an ASA 5505 for the firewall - its inside IP is 192.168.1.1.
I want to collect the syslog messages from both of these devices. I am using UDP 514 for Syslog on both the router and firewall.
I am able to set up Splunk to listen and record everything that is coming into UDP 514.....which gives me the syslog data for both the router and firewall all mixed together.
I would prefer if I could have Splunk listen for and record syslog for my router.....and separately, listen to and record syslog data from my firewall. That way I could have labels on each - one for the router, and one for the firewall, which would make it easier to distinguish between the router and firewall's syslog messages.
The problem is I cant figure out how to set it up to do this.
About the only thing I can think of is to keep the router's syslog coming from UDP 514, while changing the firewall so it uses a different UDP port for syslog.
IS that the only option that I have? Or is there a more elegant solution out there?
Thanks in advance for your help....
Mike
You can take the UDP input and separate those formats into separate sourcetypes.
http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides
This previous answer will probably be helpful to you.
http://splunk-base.splunk.com/answers/6917/different-sourcetypes-for-different-syslog-hosts