I have a syslog feed sending me firewall data from a linux system. It calls that sourcetype syslog, of course.
I'm following the docs here:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Createsourcetypes
and have added the stanza in my props.conf:
[source::/var/log/firewall.log]
sourcetype = firewall
And it doesn't work.
I see in some places (online docs and answers, and in the default/props.conf) that it uses the stanza format with leading "...":
[source::.../var/log/firewall.log]
sourcetype = firewall
I tried that as well, no work.
True to Splunk documentation, it doesn't say WHERE in a clustered environment I need to put this. So, I slowly added it at every level, still no workie. I added that props to the forwarders. I added it to the indexers (deployed via master). I added it to the search heads.
thoughts?
↧