topic Re: getting logs from unexcepted hosts in Getting Data In

Why am I getting logs from unexcepted hosts?

__Sebastian — Mon, 06 Jun 2022 03:42:56 GMT

Hello All,

I have integrated UF with splunk v8.2 but getting unnecessary host from where I'm getting logs. Not sure how they started sending logs. Is there a way I can stop and check it, why it started and how I can stop them? Below screenshot for reference

Re: getting logs from unexcepted hosts

gcusello — Sun, 05 Jun 2022 05:50:53 GMT

Hi @__Sebastian,

the first ting you should do is to understand which kind of unwanted logs you are receiving. from Forwarders or from syslogs.

Viewing you screenshot the seems to be syslogs.

Anyway, if the come from syslogs, you have to go in those systems and stop syslogs sending.

If instead they come from Forwarders, you have to stop (and eventually remove) the Forwarder on these systems.

In addition I can say that the hostnames are very strange, maybe is there an host overriding configuration o your Indexers?

You can check this, viewing props.conf and transforms.conf on your Indexers (https://docs.splunk.com/Documentation/Splunk/latest/Data/Overridedefaulthostassignments).

Ciao.

Giuseppe

Re: getting logs from unexcepted hosts

__Sebastian — Sun, 05 Jun 2022 06:00:23 GMT

Thanks @gcusello for a quick response. I have just installed UF on CentOS 8 and enabled only /var/log in inputs.conf.

the hostname "uf" is what I'm expecting but not sure from why I'm getting data from other hosts. And I don't have any host in my setup with such names. Is there way, I can check why it's fetching data from these, when I have only 1 entry in my inputs.conf

BR,

__Sebastian

Re: getting logs from unexcepted hosts

gcusello — Sun, 05 Jun 2022 09:34:10 GMT

Hi @__Sebastian,

for logs coming from Forwarders, hostname is usually setted in:

by default:
- $SPLUNK_HOME/system/local/server.conf
- $SPLUNK_HOME/system/local/inputs.conf
on UF overriding:
- all inputs.conf
in Indexers or (uf present) on Heavy Forwarders
- on props.conf.

for logs coming from syslogs (usually the ones with an IP address as hostname) are setted in inputs.conf.

So you should read the logs with unexpected hostnames and understand what kind of logs they are: syslogs or from Forwarders.

Then you can analyze the conf files to underatand where the hostname is conigured.

Ciao.

Giuseppe

Re: getting logs from unexcepted hosts

__Sebastian — Sun, 05 Jun 2022 15:31:57 GMT

@gcusello As I'm having a test setup, I have deleted all logs. And now I'm only getting logs from defined hosts.

I'll keep it under observation, and will see if it occurs again.

Thanks for your help & detailed explanation.

Re: getting logs from unexcepted hosts

gcusello — Sun, 05 Jun 2022 15:35:13 GMT

Hi @__Sebastian,

when you'll finish the observation, remember to accept an answer for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated ,-)

Re: getting logs from unexcepted hosts

PickleRick — Sun, 05 Jun 2022 17:38:36 GMT

If you enabled /var/log in general as a single sourcetype, you will get many different types of logs ingested but treated the same way. That's not the way to go. Don't mix different types of input data within a single inputs.conf stanza.

You should have a separate well-defined stanza for all "syslog-like" files like /var/log/messages, separate for other types (I don't know what's happening on your system and what kinds of data you're pulling). Otherwise all those different files from /var/log are getting treated the same way even though they contain data in different formats. That's why your "host" is getting parsed wrongly from many events.