<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: syslog differences between centos5 and 6 in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/syslog-differences-between-centos5-and-6/m-p/71142#M14472</link>
    <description>&lt;P&gt;And did you check the raw output from rsyslog, after you restarted it, to ensure it had only the one timestamp?&lt;/P&gt;</description>
    <pubDate>Tue, 14 Feb 2012 22:44:51 GMT</pubDate>
    <dc:creator>Linegod</dc:creator>
    <dc:date>2012-02-14T22:44:51Z</dc:date>
    <item>
      <title>syslog differences between centos5 and 6</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/syslog-differences-between-centos5-and-6/m-p/71138#M14468</link>
      <description>&lt;P&gt;Hi everyone,&lt;BR /&gt;
I'm noticing that my centos 6 (rsyslog) hosts are showing up different in splunk compared to my cent5 (syslog) hosts.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;cent6:
Feb 13 17:22:15 rsyslog6client.domain.com Feb 13 17:22:15 rsyslog6client sshd[30586]: pam_unix(sshd:session): session closed for user dmurphy

cent5: 
Feb 13 17:22:21 syslog5client.domain.com sshd[13812]: pam_unix(sshd:session): session closed for user dmurphy
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Notice the double timestamp and host on the cent6 box. Any ideas what might be causing that?  Not sure if it's syslog adding it, or splunk adding stuff when parsing. &lt;/P&gt;</description>
      <pubDate>Mon, 13 Feb 2012 22:31:21 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/syslog-differences-between-centos5-and-6/m-p/71138#M14468</guid>
      <dc:creator>infinitiguy</dc:creator>
      <dc:date>2012-02-13T22:31:21Z</dc:date>
    </item>
    <item>
      <title>Re: syslog differences between centos5 and 6</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/syslog-differences-between-centos5-and-6/m-p/71139#M14469</link>
      <description>&lt;P&gt;Rsyslog replaced syslog in Cent OS 6.&lt;/P&gt;

&lt;P&gt;Odds are, it is configured to use RSYSLOG_TraditionalFileFormat&lt;/P&gt;

&lt;P&gt;&lt;A href="http://www.rsyslog.com/doc/rsyslog_conf_templates.html" target="_blank"&gt;http://www.rsyslog.com/doc/rsyslog_conf_templates.html&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 11:23:58 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/syslog-differences-between-centos5-and-6/m-p/71139#M14469</guid>
      <dc:creator>Linegod</dc:creator>
      <dc:date>2020-09-28T11:23:58Z</dc:date>
    </item>
    <item>
      <title>Re: syslog differences between centos5 and 6</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/syslog-differences-between-centos5-and-6/m-p/71140#M14470</link>
      <description>&lt;P&gt;spot on. &lt;BR /&gt;
So now the question is, which format do I want?  I'm thinking either RSYSLOG_FileFormat or RSYSLOG_ForwardFormat?  Do you know which will give me entries similar to the below in splunk?&lt;/P&gt;

&lt;P&gt;Feb 13 17:22:21 syslog5client.domain.com sshd[13812]: pam_unix(sshd:session): session closed for user dmurphy&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 11:24:02 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/syslog-differences-between-centos5-and-6/m-p/71140#M14470</guid>
      <dc:creator>infinitiguy</dc:creator>
      <dc:date>2020-09-28T11:24:02Z</dc:date>
    </item>
    <item>
      <title>Re: syslog differences between centos5 and 6</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/syslog-differences-between-centos5-and-6/m-p/71141#M14471</link>
      <description>&lt;P&gt;hrm - not so sure that is it.  I just tried every format listed on that page - except for debug, and the timestamps never changed in splunk - still getting the duplicates.&lt;/P&gt;</description>
      <pubDate>Tue, 14 Feb 2012 14:45:00 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/syslog-differences-between-centos5-and-6/m-p/71141#M14471</guid>
      <dc:creator>infinitiguy</dc:creator>
      <dc:date>2012-02-14T14:45:00Z</dc:date>
    </item>
    <item>
      <title>Re: syslog differences between centos5 and 6</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/syslog-differences-between-centos5-and-6/m-p/71142#M14472</link>
      <description>&lt;P&gt;And did you check the raw output from rsyslog, after you restarted it, to ensure it had only the one timestamp?&lt;/P&gt;</description>
      <pubDate>Tue, 14 Feb 2012 22:44:51 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/syslog-differences-between-centos5-and-6/m-p/71142#M14472</guid>
      <dc:creator>Linegod</dc:creator>
      <dc:date>2012-02-14T22:44:51Z</dc:date>
    </item>
    <item>
      <title>Re: syslog differences between centos5 and 6</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/syslog-differences-between-centos5-and-6/m-p/71143#M14473</link>
      <description>&lt;P&gt;Is it possible that rsyslog is sending stuff over in a way that splunk doesn't know how it should be tagged so it's not doing any stripping?  Doesn't seem right because both are appearing under sourcetype=syslog.&lt;/P&gt;</description>
      <pubDate>Wed, 15 Feb 2012 14:53:11 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/syslog-differences-between-centos5-and-6/m-p/71143#M14473</guid>
      <dc:creator>infinitiguy</dc:creator>
      <dc:date>2012-02-15T14:53:11Z</dc:date>
    </item>
    <item>
      <title>Re: syslog differences between centos5 and 6</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/syslog-differences-between-centos5-and-6/m-p/71144#M14474</link>
      <description>&lt;P&gt;Check the blog for more details.&lt;/P&gt;

&lt;P&gt;&lt;A href="http://onlinedocs.info/setup-a-remote-syslog-server-in-centos-6/"&gt;http://onlinedocs.info/setup-a-remote-syslog-server-in-centos-6/&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 07 Mar 2013 05:41:01 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/syslog-differences-between-centos5-and-6/m-p/71144#M14474</guid>
      <dc:creator>ananyaulikkar</dc:creator>
      <dc:date>2013-03-07T05:41:01Z</dc:date>
    </item>
  </channel>
</rss>

