https://community.splunk.com/t5/Getting-Data-In/Why-are-we-seeing-duplicate-headers-host-and-timestamp/m-p/252696#M48607 <P>Can you give us some information, ie, what is the configuration you are using to forward your data, and what kind of system is receiving it?</P> Sat, 30 Jan 2016 16:48:31 GMT Jeremiah 2016-01-30T16:48:31Z https://community.splunk.com/t5/Getting-Data-In/Why-are-we-seeing-duplicate-headers-host-and-timestamp/m-p/252695#M48606 <P>Splunk adds one header, then one more when forwarding to external logger. </P> <P><STRONG>SPLUNK entry</STRONG><BR /> Jan 29 14:09:01 host.localdomain: <STRONG>2016 Jan 29 14:08:57 EST: %DAEMON-3-SYSTEM_MSG</STRONG>: error: setsockopt IP_TOS 16: Invalid argument: - sshd[6771]</P> <P><STRONG>External logger</STRONG><BR /> Jan 29 14:09:01 host.localdomain Jan 29 14:09:01 host.localdomain : <STRONG>2016 Jan 29 14:08:57 EST: %DAEMON-3-SYSTEM_MSG</STRONG>: error: setsockopt IP_TOS 16: Invalid argument: - sshd[6771] </P> <P><STRONG>RAW –tcpdump</STRONG><BR /> Jan 29 17:00:01 host.localdomain Jan 29 17:00:01 host.localdomain : <STRONG>2016 Jan 29 16:59:56 EST: %DAEMON-3-SYSTEM_MSG</STRONG>: error: setsockopt IP_TOS 16: Invalid argument: - sshd[12046]</P> Sat, 30 Jan 2016 00:13:53 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-we-seeing-duplicate-headers-host-and-timestamp/m-p/252695#M48606 jppham 2016-01-30T00:13:53Z https://community.splunk.com/t5/Getting-Data-In/Why-are-we-seeing-duplicate-headers-host-and-timestamp/m-p/252696#M48607 <P>Can you give us some information, ie, what is the configuration you are using to forward your data, and what kind of system is receiving it?</P> Sat, 30 Jan 2016 16:48:31 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-we-seeing-duplicate-headers-host-and-timestamp/m-p/252696#M48607 Jeremiah 2016-01-30T16:48:31Z https://community.splunk.com/t5/Getting-Data-In/Why-are-we-seeing-duplicate-headers-host-and-timestamp/m-p/252697#M48608 <P>Hi Jeremiah, this log is from a Cisco switch sending syslog to SPLUNK.<BR /> We are also seeing multiple headers in logs from other systems as well coming in on source udp:514.<BR /> It appears as though SPLUNK is attaching another header before it goes out .</P> <P>I have also attached all of the outputs stanzas at the end.</P> <P>Below log is what's sent to external logger from another host. there are multiple headers again.</P> <P>external logger<BR /> <STRONG>Jan 29 16:52:32 esx.mydomain Jan 29 16:52:32 esx.mydomain</STRONG> 2016-01-29T21:52:32.963Z ESX.MYDOMAINVpxa: [FF96FB90 verbose 'hostdstats']</P> <P>SPLUNK<BR /> <STRONG>Jan 29 16:52:32 esx.mydomain</STRONG> 2016-01-29T21:52:32.978Z ESX.MYDOMAIN Vpxa: [FF96FB90 verbose 'hostdstats'] Set internal stats for VM</P> <P>OUTPUTS:</P> <PRE><CODE>[tcpout] maxQueueSize = 500KB forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = _audit forwardedindex.filter.disable = false indexAndForward = false autoLBFrequency = 30 blockOnCloning = true compressed = false disabled = false dropClonedEventsOnQueueFull = 5 dropEventsOnQueueFull = -1 heartbeatFrequency = 30 maxFailuresPerInterval = 2 secsInFailureInterval = 1 maxConnectionsPerIndexer = 2 forceTimebasedAutoLB = false sendCookedData = true connectionTimeout = 20 readTimeout = 300 writeTimeout = 300 useACK = false #defaultGroup=nowhere [syslog] defaultGroup = [syslog:Everything] disabled = true timestampformat = %b %e %H:%M:%S server = x.x.x.x:514 [syslog:ext_logger] disabled = false timestampformat = %b %e %H:%M:%S server = x.x.x.x:514 </CODE></PRE> Mon, 01 Feb 2016 18:32:10 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-we-seeing-duplicate-headers-host-and-timestamp/m-p/252697#M48608 jppham 2016-02-01T18:32:10Z https://community.splunk.com/t5/Getting-Data-In/Why-are-we-seeing-duplicate-headers-host-and-timestamp/m-p/252698#M48609 <P>So, you may need to set:</P> <PRE><CODE>syslogSourceType = &lt;string&gt; </CODE></PRE> <P>In your outputs.conf syslog stanza. The string value should match the sourcetype of your Cisco data, so that Splunk knows this is syslog data and doesn't need to add a timestamp/hostname to the beginning of the log entry.</P> <P>From <A href="http://docs.splunk.com/Documentation/Splunk/6.3.2/admin/Outputsconf:">http://docs.splunk.com/Documentation/Splunk/6.3.2/admin/Outputsconf:</A></P> <P>"Data which does not match the rules has a header, optionally a timestamp (if defined in 'timestampformat'), and a hostname added to the front of the event. This is how Splunk causes arbitrary log data to match syslog expectations."</P> <P>There is a Splunk wiki article that might help explain what is happening when your data is being processed and passed on to a syslog destination:</P> <P><A href="https://wiki.splunk.com/Community:Test:How_Splunk_behaves_when_receiving_or_forwarding_udp_data">https://wiki.splunk.com/Community:Test:How_Splunk_behaves_when_receiving_or_forwarding_udp_data</A></P> <P>It sounds like you are passing data directly to splunk via syslog. I prefer to have a syslog server (syslog-ng or rsyslog) setup to receive my syslog data and write to a file. Then I use a Splunk forwarder to read the files and forward them to my indexer. This also gives you the advantage of routing data directly via syslog-ng if you need to. There's a discussion of the pros/cons here: </P> <P><A href="https://answers.splunk.com/answers/103295/pros-cons-of-using-syslog-ng-or-other-syslog-file-receiver-vs-direct-tcp-udp-514-to-splunk.html">https://answers.splunk.com/answers/103295/pros-cons-of-using-syslog-ng-or-other-syslog-file-receiver-vs-direct-tcp-udp-514-to-splunk.html</A></P> Mon, 01 Feb 2016 21:10:32 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-we-seeing-duplicate-headers-host-and-timestamp/m-p/252698#M48609 Jeremiah 2016-02-01T21:10:32Z