https://community.splunk.com/t5/Getting-Data-In/Syslog-Output-missing-header/m-p/533871#M89640 <P>Hello All</P><P>I found a similar question but did not see an answer.</P><P><A href="https://community.splunk.com/t5/Getting-Data-In/No-time-or-host-in-forwarded-syslog-messages/m-p/52627" target="_blank" rel="noopener">https://community.splunk.com/t5/Getting-Data-In/No-time-or-host-in-forwarded-syslog-messages/m-p/52627</A></P><P>I am forwarding Checkpoint logs that are coming in via tcp://514 and I am trying to forward the data to an HA syslog-ng environment.&nbsp; There is a NetScaler in front two different syslog-ng servers with round robin load balancing happening.&nbsp; I disabled the second syslog-ng host so that all logs get sent to sys-01.&nbsp; I see the following coming in:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">Msg: 2020-12-22 18:30 host-blah-blah.xxx.xxx.xxx.com time=1608661800|hostname=logger|product=Firewall|layer_name=xx-stl-private Security|layer_uuid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx|match_id=197|parent_rule=0|rule_action=Accept|rule_uid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx|action=Accept|conn_direction=Internal|ifdir=inbound|ifname=eth2-01.716|logid=0|loguid={0x00000000,0x00,0x0000000,0xc0000000}|origin=xxx.xxx.xxx.xxx|originsicname=blah_gw-stl-prv|sequencenum=199|time=1608661800|version=5|dst=xxx.xxx.xxx.xxx|log_delay=1608661800|proto=6|s_port=47298|service=7031|src=xxx.xxx.xxx.xxx|</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>From the previous link that seems to be a bug, but I am going to assume that it is an old bug and should not exist in Splunk version 8.0.6.&nbsp;&nbsp;</P><P>Is there a way in the outputs.conf to force a header that has the hostname?</P><P>&nbsp;</P><P>Thanks</P><P>ed</P> Tue, 22 Dec 2020 18:49:20 GMT edwardrose 2020-12-22T18:49:20Z https://community.splunk.com/t5/Getting-Data-In/Syslog-Output-missing-header/m-p/533871#M89640 <P>Hello All</P><P>I found a similar question but did not see an answer.</P><P><A href="https://community.splunk.com/t5/Getting-Data-In/No-time-or-host-in-forwarded-syslog-messages/m-p/52627" target="_blank" rel="noopener">https://community.splunk.com/t5/Getting-Data-In/No-time-or-host-in-forwarded-syslog-messages/m-p/52627</A></P><P>I am forwarding Checkpoint logs that are coming in via tcp://514 and I am trying to forward the data to an HA syslog-ng environment.&nbsp; There is a NetScaler in front two different syslog-ng servers with round robin load balancing happening.&nbsp; I disabled the second syslog-ng host so that all logs get sent to sys-01.&nbsp; I see the following coming in:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">Msg: 2020-12-22 18:30 host-blah-blah.xxx.xxx.xxx.com time=1608661800|hostname=logger|product=Firewall|layer_name=xx-stl-private Security|layer_uuid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx|match_id=197|parent_rule=0|rule_action=Accept|rule_uid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx|action=Accept|conn_direction=Internal|ifdir=inbound|ifname=eth2-01.716|logid=0|loguid={0x00000000,0x00,0x0000000,0xc0000000}|origin=xxx.xxx.xxx.xxx|originsicname=blah_gw-stl-prv|sequencenum=199|time=1608661800|version=5|dst=xxx.xxx.xxx.xxx|log_delay=1608661800|proto=6|s_port=47298|service=7031|src=xxx.xxx.xxx.xxx|</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>From the previous link that seems to be a bug, but I am going to assume that it is an old bug and should not exist in Splunk version 8.0.6.&nbsp;&nbsp;</P><P>Is there a way in the outputs.conf to force a header that has the hostname?</P><P>&nbsp;</P><P>Thanks</P><P>ed</P> Tue, 22 Dec 2020 18:49:20 GMT https://community.splunk.com/t5/Getting-Data-In/Syslog-Output-missing-header/m-p/533871#M89640 edwardrose 2020-12-22T18:49:20Z