topic Re: Hostname lost in forwarded syslog messages in Getting Data In

Hostname lost in forwarded syslog messages

micuzzu — Mon, 23 Jun 2014 16:19:27 GMT

Hi,
I have a central syslog server, collecting auth.* messages from many Linux hosts in the /var/log/secure file. Then they are forwarded to Splunk by a Universal Forwarder.
The problem is that Splunk sees all these messages with host = "syslog server".

What's the simplest method to use the real originating host, that is always present after date/time:

Jun 23 17:52:36 host01 sshd[12447]: pam_unix(sshd:session): session opened for user jsmith b
y (uid=0)

Re: Hostname lost in forwarded syslog messages

yannK — Mon, 23 Jun 2014 16:33:39 GMT

if you use the "syslog" sourcetype, then the host should be extracted from the events.

To understand the mechanism, look at the $SPLUNK_HOME/etc/default/props.conf [syslog]
and $SPLUNK_HOME/etc/default/transforms.conf [syslog-host]

DEST_KEY = MetaData:Host REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s FORMAT = host::$1

Re: Hostname lost in forwarded syslog messages

micuzzu — Mon, 23 Jun 2014 16:47:25 GMT

OK, in fact they are now actually indexed using "linux_secure" sourcetype.
Where are defined input data for forwarded events (I'm a newbie)?

Re: Hostname lost in forwarded syslog messages

yannK — Mon, 28 Sep 2020 16:55:04 GMT

Inputs are in inputs.conf (in $PSLUNK_HOME/etc/apps//default or /local, or in the $SPLUNK_HOME/etc/system/local)

Try to change the sourcetype to syslog to get the extraction.

Re: Hostname lost in forwarded syslog messages

micuzzu — Thu, 26 Jun 2014 14:12:33 GMT

I tried on a test Splunk server, loading directly the file /var/log/secure of the syslog central server and it works 😉

Now how can I correct the behaviour on the production Splunk server, receiving forwarded events?