https://community.splunk.com/t5/Getting-Data-In/rsyslog-question/m-p/82427#M17073 <P>How do these messages differ from messages where the <CODE>%HOSTNAME%</CODE> works? Please post an example. You are right, though. This is not really a splunk issue...but I've run into similar problems some time ago, and had to resort to using the <CODE>$fromhost-ip</CODE> variable instead.</P> <P>This should work the same, but your files will be called 10.11.12.13.log etc, and in Splunk you'll get IP addresses as <CODE>host</CODE> instead of a hostname (if you use <CODE>host_regex</CODE> in <CODE>inputs.conf</CODE> to set the <CODE>host</CODE> field). If you have this setup as the sourcetype <CODE>syslog</CODE>, Splunk will check each and every message to set the <CODE>host</CODE> field, and might possibly fail for the same resaons that rsyslog does.</P> <P>Note that using $fromhost-ip will only work well if the devices send their logs directly to the rsyslog server, without relays.</P> <P>Hope this helps,</P> <P>Kristian</P> Thu, 10 Jan 2013 07:41:36 GMT kristian_kolb 2013-01-10T07:41:36Z https://community.splunk.com/t5/Getting-Data-In/rsyslog-question/m-p/82426#M17072 <P>Hi,</P> <P>This isn't a splunk question, but I figure this community probably has a lot of people who use rsyslog...</P> <P>I have my rsyslog.conf setup to use dynafiles, and messages are written out to specific files for each host:</P> <P>$template DynaFile,"/apps/log/system-%HOSTNAME%.log"<BR /> $FileOwner splunk<BR /> <EM>.</EM> -?DynaFile</P> <P>This config is working, except for one host. The hostname is not getting picked up for this host. I did notice that the messages are a little different (see below), but I'm not sure if that should cause rsyslog not to detect the host. I checked with engineering, and the messages are being directly from the device - there is no intermediary. Anyone ever seen this?</P> <P>Jan 9 08:54:49 01/09/2013: 08:54:49 hostxxxx PPE-0 : SSLLOG SSL_HANDSHAKE_SUCCESS 242099 : SPCBId 246946 - ClientIP 1.2.3.4 - ClientPort 60900 - VserverServiceIP 1.2.3.4 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "RC4-MD5 TLSv1 Non-Export 128-bit" - Session New<BR /> Jan 9 08:54:49 01/09/2013: 08:54:49 hostxxxx PPE-0 : UI CMD_EXECUTED 242100 : User aaaaa - Remote_ip 1.2.3.4 - Command "logout" - Status "Success"<BR /> Jan 9 08:54:51 01/09/2013: 08:54:51 hostxxxx PPE-0 : SSLLOG SSL_HANDSHAKE_SUCCESS 242101 : SPCBId 246947 - ClientIP 1.2.3.4 - ClientPort 60901 - VserverServiceIP 1.2.3.4 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "RC4-MD5 TLSv1 Non-Export 128-bit" - Session Reuse</P> Mon, 28 Sep 2020 13:04:35 GMT https://community.splunk.com/t5/Getting-Data-In/rsyslog-question/m-p/82426#M17072 a212830 2020-09-28T13:04:35Z https://community.splunk.com/t5/Getting-Data-In/rsyslog-question/m-p/82427#M17073 <P>How do these messages differ from messages where the <CODE>%HOSTNAME%</CODE> works? Please post an example. You are right, though. This is not really a splunk issue...but I've run into similar problems some time ago, and had to resort to using the <CODE>$fromhost-ip</CODE> variable instead.</P> <P>This should work the same, but your files will be called 10.11.12.13.log etc, and in Splunk you'll get IP addresses as <CODE>host</CODE> instead of a hostname (if you use <CODE>host_regex</CODE> in <CODE>inputs.conf</CODE> to set the <CODE>host</CODE> field). If you have this setup as the sourcetype <CODE>syslog</CODE>, Splunk will check each and every message to set the <CODE>host</CODE> field, and might possibly fail for the same resaons that rsyslog does.</P> <P>Note that using $fromhost-ip will only work well if the devices send their logs directly to the rsyslog server, without relays.</P> <P>Hope this helps,</P> <P>Kristian</P> Thu, 10 Jan 2013 07:41:36 GMT https://community.splunk.com/t5/Getting-Data-In/rsyslog-question/m-p/82427#M17073 kristian_kolb 2013-01-10T07:41:36Z