We are currently deploying Splunk Connect for Syslog (SC4S) and need expert assistance to resolve data ingestion issues and ensure correct parsing and mapping of incoming syslog messages (including Cisco logs, test logs, and fallback events).
Current Environment:
SC4S running in Docker on Ubuntu
Splunk HEC is configured and accepting test events via curl
Custom logger tests are reaching SC4S but resulting in fallback handling or 400 status codes from HEC
Logs are not showing under expected sourcetypes like cisco:ios
Goals:
Ensure test and real device syslogs are parsed correctly and mapped to the correct sourcetypes
Eliminate fallback routing and 400 errors
Validate data is ingested into Splunk as expected (e.g., cisco:ios, cef, etc.)
Help create clean override configs if needed
Deliverables:
Working SC4S setup routing and parsing logs correctly
At least one test log type (e.g., CEF or Cisco) confirmed working end-to-end
Brief documentation of steps or changes applied
Preferred Skills:
Experience with SC4S
Splunk HEC and sourcetype mapping knowledge
Syslog formats and logger simulation familiarity
Docker and Linux experience
Timeline: ASAP — Immediate availability preferred |
