topic Re: host is not being extracted from linux_secure in Getting Data In

host is not being extracted from linux_secure

arsalanj — Wed, 30 Sep 2020 00:16:58 GMT

Hi there,

We are forwarding all of our /var/log/secure logs to a syslog server "syslogserver.local " and from there it's being forwarded to Splunk over a TCP port.
The Splunk is configured as a single instance.
in Data Inputs I created a TCP listener and the source type is linux_secure.

In the search app most of the fields are getting extracted except the hostname "myhost " .
The host field only shows the name of that syslog server instead of the name of the server that alert was generated.

<85>Apr 25 15:22:03 myhost unix_chkpwd[20316]: password check failed for user (jon.doe)
date_hour = 15 date_mday = 25 date_minute = 22 date_month = april date_second = 3 date_wday = thursday date_year = 2019 date_zone = local eventtype = err0r error eventtype = nix_errors error eventtype = nix_security os unix host = syslogserver local index = linux_index linecount = 1 pid = 20316 process = unix_chkpwd source = tcp:40515 sourcetype = linux_secure splunk_server = splunk.local src = syslogserver.local tag = error tag = os tag = unix timeendpos = 20 timestartpos = 4

As you can see, the value of the host and src are the same.
syslogserver.local is the server that aggregates all the syslogs. and there is no field that shows "myhost"

Any ideas of where the problem might be?

Re: host is not being extracted from linux_secure

vishaltaneja070 — Fri, 26 Apr 2019 06:43:49 GMT

Hello @arsalanj

Try this add-on specifically for Linux Secure
https://splunkbase.splunk.com/app/3476/

Mostly it will help you out

Re: host is not being extracted from linux_secure

arsalanj — Wed, 30 Sep 2020 00:17:22 GMT

Hi @vishaltaneja07011993,

actually, I already have it installed, but it doesn't make any difference.
When the source type is syslog, it can extract the host values.
I already tried the following:
App context=TA-linux_secure with source type linux_secure
App context=Splunk_TA_nix with source type linux_secure
They both can't extract the host value.
But if I choose syslog as source type, it can extract the host value no matter what app context I select.
So what is the right of doing this?
shouldn't we change something in transform.conf or somewhere else?

Re: host is not being extracted from linux_secure

arsalanj — Wed, 30 Sep 2020 00:17:25 GMT

I Just deleted both Splunk_TA_nix and TA-linux_secure.
My source type is syslog and it extracts the host values and I see no difference from when I had those TAs.

My selected fields and interesting fields are the same before and after deleting those TAs with syslog source type.

Now I'm wondering what difference does it make for having those TA's?