I have some questions concerning a Splunk deployment i'm working on, we have a single Splunk instance and we want to forward all the logs from network equipment to it directly.
Can we send all the data to UDP/514 while defining multiple sourcetypes, since the default syslog port cannot be changed in some devices.
is it possible to set multiple listeners with the same port somthing along "host::port"
"host_ip_1:514"
"host_ip_2:514"
.
.
etc.
We're afraid that if we just open the UDP/514 and dump all the data with only one sourcetype defined (syslog), it'll be harder to manage the data and integrate it with some Splunk Apps that require specific sourcetypes.
what would you suggest?
Excuse the rookie question, i'm new to splunk.
↧