**First Part**
I configure central syslog server where I planned to have all logs from all syslog devices.
my syslog configuration is below:
$ModLoad imudp
$UDPServerRun 514
$template RemoteLogs,"/central/%HOSTNAME%/%HOSTNAME%.log"
*.* ?RemoteLogs
&stop
**local system logs are also being saved under /central/localhostname.
how can I fix this issue.**
====================
**2nd Part**
However at this point I am getting logs from sophos and they are saved at /central/$hostname$/gateway.log
I install the UF on syslog server and below is my inputs.conf file.
[root@sysxx ~]# cat /opt/splunkforwarder/etc/system/local/inputs.conf
[default]
[monitor:///cental/gateway/]
index = sophos
sourcetype = sophos:utm:firewall
disabled = 0
All my logs are going to main index.
If I move index and sourcetype parameter above to [monitor:///cental/gateway/] then I can see the logs under index=sophos.
**how can I solve this.**
in future I will have logs from more data sources and I want to index them under different index name.
↧