topic Re: Configuring Splunk syslog Server in All Apps and Add-ons

Configuring Splunk syslog Server- Where to find the server?

DavidHourani — Tue, 21 Jun 2022 15:21:55 GMT

Hello Splunkers,

Anyone knows where to find the syslog server configuration for Splunk ?

I need to change the fields that are added by splunk when it receives the data. I am getting the timestamp+hostname added by the syslogd but instead i need to add timestamp+IP. I am currently using UDP syslog. I tried modifying the "host" and "connection_host" in the inputs.conf but nothing seems to change I keep getting the VIP name as hostname. The indexer is currently receiving on port 514 and it is a windows server.

Regards,
David

Re: Configuring Splunk syslog Server

sshelly_splunk — Tue, 25 Oct 2016 14:38:37 GMT

I think this might solve your problem. In inputs.conf for this input, set
connection_host=ip
Are you sure the data coming in has ip address and not hostnames in the events ?

Re: Configuring Splunk syslog Server

DavidHourani — Tue, 25 Oct 2016 15:37:17 GMT

Hello sshelly,
Thank you for your reply.
I am using UDP and connection_host is a TCP parameter. Also I tried changing the "host" field in the input and setting it to random values and it wasn't taken into consideration by splunk..

Re: Configuring Splunk syslog Server

sshelly_splunk — Tue, 25 Oct 2016 17:04:02 GMT

David - I checked input.conf spec, and if you go down to look at UDP section, connection_host is there as well as an option. Can u possibly share your current inputs.conf ?

Re: Configuring Splunk syslog Server

gjanders — Wed, 26 Oct 2016 01:08:19 GMT

As per sshelly's comment connection_host should fix your issue. If you want more flexibility you might consider something like syslogNG, I have provided an example here

Re: Configuring Splunk syslog Server

DavidHourani — Wed, 26 Oct 2016 08:36:00 GMT

None of this is working..My questions is about syslog config file in splunk, like the "syslog.conf" file on linux.. I want to find the root configuration for the syslog that splunk is running. .

Re: Configuring Splunk syslog Server

hardikJsheth — Wed, 26 Oct 2016 08:56:26 GMT

There isn't any syslog.conf file in Splunk. I think Splunk starts a process which runs on specific port for tcp/udp connection.

In addition to what others have suggested, we have used props /transforms to selectively update index/source type depending on specific condition.

    Props.conf 
    [syslog]
    TRANSFORMS-feye = fytest


    transforms.conf
    [fytest]
    REGEX = 10\.35\.136\.91|10\.35\.136\.90|10\.39\.132\.68
    REGEX = 10.35.136.9[01]|10.35.136.89|10.39.132.6[89]|10.39.132.70
    DEST_KEY=_MetaData:Index
    FORMAT=abc

Re: Configuring Splunk syslog Server

DavidHourani — Tue, 29 Sep 2020 11:33:24 GMT

Hello Splunkers,

This took me a while to figure out and I couldn't find it documented beside in a comment on anwser https://answers.splunk.com/answers/153831/cannot-change-host-field-in-syslog-data.html (if anyone does find the doc for it please link it here)...
When the sourcetype syslogis used the host field value is extracted automatically from the data regardless of what is configured as host or connection_host in the input.conf. syslog sourcetype takes the value that is right after the date in the message and considers it the host.
The solution was simply to use a different sourcetype name for the udp input and then apply the connection_host=ip configuration

Re: Configuring Splunk syslog Server

sshelly_splunk — Tue, 29 Sep 2020 11:33:40 GMT

I am sorry. I didn't think of the "default" syslog sourcetype (as garethatiag pointed out). I would copy/paste the syslog sourcetype (found in $SPLUNK_HOME/etc/system/default/props.conf, and paste into $SPLUNK_HOME/etc/system/local/props.conf the following. You may need to "play" with it a bit, but I think that should suffice.

[mynewsyslog]
pulldown_type = true
maxDist = 3
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32

remove following line

TRANSFORMS = syslog-host

insert following line

connection_host = ip
REPORT-syslog = syslog-extractions
SHOULD_LINEMERGE = False
category = Operating System
description = Mysyslog sourcetype to accomadate ip for host as opposed to hostname for host

Re: Configuring Splunk syslog Server

DavidHourani — Wed, 26 Oct 2016 13:10:05 GMT

dude don't say you're sorry lol you rock, thank you very much for your help 😄

Re: Configuring Splunk syslog Server

nagarjunay — Mon, 20 Jun 2022 03:59:49 GMT

template (name="trendmicro" type="string" string="/PROD/trendmicro/%fromhost-ip%/trendmicro.log")
template (name="asa" type="string" string="/PROD/asa/%fromhost-ip%/asa.log")

ruleset(name="remote-udp"){
if $fromhost-ip == '10.100.' then { action(type="omfile" dynafile="trendmicro") }
if $fromhost-ip == '10.0.4' then { action(type="omfile" dynafile="trendmicro") }
if $fromhost-ip == '10.135.' or $fromhost-ip == '10.0.' then { action(type="omfile" dynafile="asa") }
if $fromhost-ip=='10.19' or $fromhost-ip == '10.19' then { action(type="omfile" dynafile="fireeye") }

stop

}

# bind ruleset to tcp listener and activate it:
input(type="imudp" port="514" ruleset="remote-udp")

template (name="rsyslog-fmt" type="string"
string="%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
)

template (name="Checkpoint" type="string" string="/var/log/splunk/Checkpoint/%HOSTNAME%/checkpoint.log")

template (name="Checkpoint_sys" type="string" string="/var/log/splunk/Checkpoint_sys/%HOSTNAME%/checkpoint.log")

template (name="F5" type="string" string="/var/log/splunk/F5/%HOSTNAME%/f5_waf.log")

ruleset (name="network-logs") {
#if $HOSTNAME startswith "SCMD-SPL-DEPS" then { action (type="omfile" dynafile="test" template="rsyslog-fmt") stop }

#if $fromhost-ip=="10.40.71" then { action (type="omfile" dynafile="test" template="rsyslog-fmt") stop }

action (type="omfile" file="/var/log/splunk/uncategorised.log" template="rsyslog-fmt-unc") stop
}

#input (type="imtcp" port="514" ruleset="network-logs")