topic Syslog Server to Splunk showing incorrect host - During Splunk test before implementation in Getting Data In

Syslog Server to Splunk showing incorrect host - During Splunk test before implementation

j666gak — Mon, 28 Sep 2020 11:32:23 GMT

Currently at the company I work for we are runing a trial on Splunk for a couple of months to check that it meets our requirements.

Currently all events are being forwarded on to the Splunk server directly for the syslog server, meaning that the syslog server is seen as the host on every occasion is there anyway this can be changed to the end host name?

In an example entry below the second IP in bold is the host that should be listed as the host within Splunk instead of the Syslog server. Is there anyway to change this? I would only be for the duration of the test, and I understand the syslog should be going directly to Splunk but hope there is a way to resolve this in the meantime.

Mar 19 13:57:37 172.X.X.X Mar 19 13:57:39 172.X.X.X auditd: date="2012-03-19 13:57:39 +0000",fac=f_kernel_ipfilter,area=a_general_area,type=t_nettraffic,pri=p_major,hostname=server.domain.com,event="session end",application=ALL-TCP-UDP,netsessid=e0e4a4f673b53,srcip=172.X.X.X,srcport=0000,srczone=rDMZ_VLAN401,protocol=6,dstip=192.168.1.1,dstport=0000,dstzone=DMZ_VLAN,bytes_written_to_client=0,bytes_written_to_server=0,rule_name="WAN Sites to XXXXX",cache_hit=0,start_time="2012-03-19 13:57:39 +0000"

host=SYSLOG SERVER   Options|  
sourcetype=syslog   Options|  
source=udp:514   Options

Appreciate any help
Thanks

Re: Syslog Server to Splunk showing incorrect host - During Splunk test before implementation

Ayn — Mon, 19 Mar 2012 15:23:35 GMT

Sure.

For the syslog sourcetype, Splunk already does something similar to this. Just that you seem to have another layer of syslog host forwarding going on. 🙂
By default, logs with sourcetype syslog get the transform syslog-host applied to them. This is what it looks like (it's available in $SPLUNK_HOME/etc/system/default/transforms.conf😞

[syslog-host]
DEST_KEY = MetaData:Host
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s
FORMAT = host::$1

If you want this transform to work differently, just redefine it (for instance in $SPLUNK_HOME/etc/system/local/transforms.conf). This transform should work in your case (I can't guarantee it's totally bulletproof though):

[syslog-host]
DEST_KEY = MetaData:Host
REGEX = ^(?:\S+\s+){7}(\S+)
FORMAT = host::$1

Re: Syslog Server to Splunk showing incorrect host - During Splunk test before implementation

mikelanghorst — Mon, 19 Mar 2012 15:36:49 GMT

There's a default transform available to strip the syslog header (date and host) from a syslog event: [syslog-header-stripper-ts-host]. Thought I was using this already for an exact example, but this should work. Assuming your syslog file is /my/folder/messages:

In a props.conf entry:
[source::/my/folder/messages]
TRANSFORMS-my_syslog=syslog-header-stripper-ts-host

Re: Syslog Server to Splunk showing incorrect host - During Splunk test before implementation

j666gak — Thu, 22 Mar 2012 16:43:36 GMT

That worked great, thanks for the help Ayn

Re: Syslog Server to Splunk showing incorrect host - During Splunk test before implementation

bambarit — Wed, 18 Nov 2020 03:28:26 GMT

sure, it will replace "host" field base on regex, and how to keep hostname of forwarder to new field?