Hello community,
I'm planning to send ClearPass syslog to Splunk for long-term storage and analysis. I've read the tech note "ClearPass integration with Splunk v1", but my setup is going to be a bit different than what was documented. I'm not sending the syslog directly to Splunk over UDP 514, but via a syslog proxy instead, which will then forward the log to Splunk through port 9997.
Can this deployment work? And how should I configure Splunk in this case? Since the proxy will send log to Splunk via a different port (not UDP 514), I'm not sure whether it works if I still configure Splunk to listen on UDP 514 per instructions from the tech note.
Thank you,