From 661a4e4258902c5efb37c0ca81a8fca6457fcc46 Mon Sep 17 00:00:00 2001 From: Mark Bonsack Date: Fri, 8 May 2020 10:15:10 -0700 Subject: [PATCH] Refine mulitple unique port docs * Refine mulitple unique ports docs; change section it appears in --- docs/configuration.md | 4 ---- docs/sources/index.md | 10 ++++++++++ 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/docs/configuration.md b/docs/configuration.md index 6f707fd..38bca4b 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -113,10 +113,6 @@ and/or move them to an archival system to avoid exhaustion of disk space. | SC4S_SOURCE_LISTEN_UDP_SOCKETS | 5 | Number of kernel sockets per active UDP port, which configures multi-threading of the UDP input buffer in the kernel to prevent packet loss. Total UDP input buffer is the multiple of SC4S_SOURCE_LISTEN_UDP_SOCKETS * SC4S_SOURCE_UDP_SO_RCVBUFF | | SC4S_SOURCE_STORE_RAWMSG | undefined or "no" | Store unprocessed "on the wire" raw message in the RAWMSG macro for use with the "fallback" sourcetype. Do _not_ set this in production; substantial memory and disk overhead will result. Use for log path/filter development only. | -### Multiple listening ports for the same source - -SC4S supports multiple network listening ports useful for a narrow set of compliance use cases. When configuring a source port variable use a comma ',' separated list with no spaces. - ## Syslog Source TLS Certificate Configuration * Create a folder ``/opt/sc4s/tls`` if not already done as part of the "getting started" process. diff --git a/docs/sources/index.md b/docs/sources/index.md index 8a416bf..c709a62 100644 --- a/docs/sources/index.md +++ b/docs/sources/index.md @@ -19,3 +19,13 @@ A key aspect of SC4S is to properly set Splunk metadata prior to the data arrivi It is understood that default values will need to be changed in many installations. Each source documented in this section has a table entitled "Sourcetype and Index Configuration", which highlights the default index and sourcetype for each source. See the section "SC4S metadata configuration" in the "Configuration" page for more information on how to override the default values in this table. +## Unique listening ports + +SC4S supports unique listening ports for each source technology/log path (e.g. Cisco ASA), which is useful when the device is +sending data on a port different from the typical default syslog port (UDP port 514). In some cases, when the source device emits data that +is not able to be distinguished from other device types, a unique port is sometimes required. The specific environment variables used for +setting "unique ports" are outlined in each source document in this section. + +In most cases only one "unique port" is needed for each source. However, SC4S also supports multiple network listening ports per source, +which can be useful for a narrow set of compliance use cases. When configuring a source port variable to enable multiple ports, use a +comma-separated list with no spaces (e.g. `SC4S_LISTEN_CISCO_ASA_UDP_PORT=5005,6005`).