topic Re: Remove or disable the additional syslog header when using forwarding in Splunk Enterprise

Remove or disable the additional syslog header when using forwarding

giulia_casaldi — Fri, 23 Aug 2024 08:54:49 GMT

Hi,

I am currently dealing with some logs being forwarded via syslog to a third party system. The question is if there is an option to prevent splunk from adding an additional header to each message before it is forwarded. So there should be a way to disable the additional syslog header when using forwarding, so that the third party system receives the original message by removing the header.

Any ideas, can you give me a practical example?
I am trying to test by modifying the outputs.conf.

thanks,

Giulia

Re: Remove or disable the additional syslog header when using forwarding

PaulPanther — Fri, 23 Aug 2024 09:12:39 GMT

Please feel free to share your current outsputs.conf.

If you use the [syslog] stanza to forward the data to your third-party system no additional header should be added by splunk.

Forward data to third-party systems - Splunk Documentation

Re: Remove or disable the additional syslog header when using forwarding

giulia_casaldi — Fri, 23 Aug 2024 10:54:25 GMT

hello , this is the current example of the outputs.conf, but still the header is not gone:

[tcpout-server://xxxx..xxx:9997][tcpout-server://yyy.yyy.yyy:9997] [tcpout-server://zz.zzz.zzz:9997] [tcpout:default-autolb-group] server = xx.xxx.xxx:9997,yyy.yyy.yyy:9997,zz.zzz.zzz:9997 disabled = false [syslog] #defaultGroup = syslogGroup2 [syslog:syslogGroup1] server = aa.aaa.aa.a.:514 type = udp syslogSourceType = fortigate [syslog:syslogGroup2] server = bb.bbb.bbb:517 type = udp syslogSourceType = fortigate

can you give me an example of how i could fix it?

Thank you very much

Giulia

Re: Remove or disable the additional syslog header when using forwarding

PaulPanther — Fri, 23 Aug 2024 10:41:22 GMT

Please check the syslogSourceType and reconfigure it

syslogSourceType = <string>
* Specifies an additional rule for handling data, in addition to that
  provided by the 'syslog' source type.
* This string is used as a substring match against the sourcetype key. For
  example, if the string is set to "syslog", then all sourcetypes
  containing the string 'syslog' receive this special treatment.
* To match a sourcetype explicitly, use the pattern
  "sourcetype::sourcetype_name".
    * Example: syslogSourceType = sourcetype::apache_common
* Data that is "syslog" or matches this setting is assumed to already be in
  syslog format.
* Data that does not match the rules has a header, optionally a timestamp
  (if defined in 'timestampformat'), and a hostname added to the front of
  the event. This is how Splunk software causes arbitrary log data to match syslog expectations.
* No default.

outputs.conf - Splunk Documentation

Re: Remove or disable the additional syslog header when using forwarding

giulia_casaldi — Fri, 23 Aug 2024 12:35:25 GMT

identifying the correct sourcetype removed only one part of the header, still however it does not remove the priority and the other part of the header...
I had already tried that.
I thank you, do you have any other solutions?
Thank you,

Giulia

Re: Remove or disable the additional syslog header when using forwarding

giulia_casaldi — Tue, 03 Sep 2024 14:53:13 GMT

Hello everyone,
i found the solution with my team:
In addition to changing the output.conf by inserting the appropriate sourcetype.
the moment the header is still not removed we followed this procedure:
by going to change the following template definition of the rsyslog file on all UFs, removing %TIMESTAMP% %HOSTNAME% (the one that appears in the header) within the configuration.

bye,

G.