Skip to content

Configure inputs

Configure a syslog input using Splunk Connect for Syslog

Splunk recommends using Splunk Connect for Syslog to configure syslog inputs. To configure inputs using Splunk Connect for Syslog, see the Log Exporter (Syslog) documentation.

Configure a syslog input with Splunk Web

  1. Configure a syslog input as described in Add a network input using Splunk Web.
  2. Set the sourcetype as cp_log/cp_log:syslog.

Configure a syslog input via Backend

  1. Open or create $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint_log_exporter/local/inputs.conf.

  2. If you are using TCP, copy and paste the following stanza into the file and select your configured sourcetype among the list:

    [tcp://514] sourcetype = <cp_log|cp_log:syslog> disabled = false

  3. If you are using UDP, copy and paste the following stanza into the file:

    [udp://514] sourcetype =<cp_log|cp_log:syslog> disabled = false

  4. If you are using forwarders, configure forwarding by defining tcp outputs and then enabling a receiver.

  5. Restart the Splunk platform. If you have a distributed deployment, restart your forwarder and indexers.

Verify your input is working

If you have a distributed deployment, perform the following search on your Search head to check that the Splunk platform is indexing events from your Checkpoint Log Exporter logs:

Search

index=* sourcetype=cp_log*