Simple Log path by port¶
The SIMPLE source configuration allows configuration of a log path for SC4S using a single port to a single index/sourcetype combination to quickly onboard new sources that have not been formally supported in the product. Source data must use RFC5424 or a common variant of RFC3164 formatting.
- NOTE: This is an interim step that should be used only to quickly onboard well-formatted data that is being sent over a unique port. A dedicated log path should be developed for the data source to facilitate further parsing and enrichment, as well as allowing the potential sending of this data source over the default (514) listening port.
Splunk Metadata with SIMPLE events¶
The keys (first column) in
splunk_metadata.csv for SIMPLE data sources is a user-created key using the
For example, to on-board a new product
first firewall using a source type of
first:firewall and index
netfw, add the following
two lines to the configuration file as shown:
For the variables below, replace
VENDOR_PRODUCT with the key (converted to upper case) used in the
Based on the example above, to establish a tcp listener for
first firewall we would use
|SC4S_LISTEN_SIMPLE_VENDOR_PRODUCT_UDP_PORT||empty string||Enable a UDP port for this specific vendor product using a comma-separated list of port numbers|
|SC4S_LISTEN_SIMPLE_VENDOR_PRODUCT_TCP_PORT||empty string||Enable a TCP port for this specific vendor product using a comma-separated list of port numbers|
|SC4S_LISTEN_SIMPLE_VENDOR_PRODUCT_TLS_PORT||empty string||Enable a TLS port for this specific vendor product using a comma-separated list of port numbers|
|SC4S_ARCHIVE_SIMPLE_VENDOR_PRODUCT||no||Enable archive to disk for this specific source|
|SC4S_DEST_SIMPLE_VENDOR_PRODUCT_HEC||no||When Splunk HEC is disabled globally set to yes to enable this specific source|
SIMPLEdata sources must use RFC5424 or a common variant of RFC3164 formatting.
SIMPLEdata source must listen on its own unique port list. Port overlap with other sources, either
SIMPLEones or those served by regular log paths, are not allowed and will cause an error at startup.
- The key(s) chosen for
splunk_metadata.csvmust be in the form
- These same keys can be used for a regular SC4S log path developed in the future.
SIMPLEenvironment variables must have a core of
- Take care to remove the
SIMPLEform of these
LISTENvariables after a regular SC4S log path is developed for a given source. You can, of course, continue to listen for this source on the same unique ports after having developed the new log path, but use the
SC4S_LISTEN_<VENDOR_PRODUCT>_<protocol>_PORTform of the variable to ensure the newly developed log path will listen on the specified unique ports.