topic Re: Information missing on Splunk syslog in Getting Data In

Information missing on Splunk syslog

are0002 — Wed, 13 Jun 2012 16:15:41 GMT

Hi,

I have a network device that sends to Splunk syslog messages using udp 514. The messages are like:

Wed Jun 13 17:37:09 2012: <182>receive event capwap disconnect: eventid = 88: length = 0
Wed Jun 13 17:37:46 2012: <182>[wifi]: wifi0: reduce CCA to 49
Wed Jun 13 17:37:51 2012: <182>CAPWAP: capwap predefine server name file isn't exist.
(this messages are captued using tftpd32 syslog server)

When I receive these messages in Splunk I see that string "<182>" is missed. I used "Show source" option search view, and I got this messages:

Jun 13 17:37:09 213.96.11.95 receive event capwap disconnect: eventid = 88: length = 0
Jun 13 17:37:46 213.96.11.95 [wifi]: wifi0: reduce CCA to 49
Jun 13 17:37:51 213.96.11.95 CAPWAP: capwap predefine server name file isn't exist.

Does anyone know what's happening?

Regards,

Re: Information missing on Splunk syslog

are0002 — Wed, 13 Jun 2012 16:20:38 GMT

I can see in the network capture that <182> is the syslog level info.
It seems Splunk does not analyse syslog protocol correctly.

Re: Information missing on Splunk syslog

are0002 — Wed, 13 Jun 2012 16:26:51 GMT

I found a similar case:

http://splunk-base.splunk.com/answers/31036/syslog-facility-and-severity-loglevel

http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports?r=searchtip

Re: Information missing on Splunk syslog

JoeIII — Mon, 28 Sep 2020 14:21:30 GMT

To elaborate on the earlier answer:

By default, splunk strips the syslog priority from incoming syslog messages.

to stop this behavior, add "no_priority_stripping = true" to your syslog source.

there is an app on splunkbase syslog_priority_lookup that will extract this and create facility and severity fields at search time - very useful information.