All Apps and Add-ons

How to assign the sourcetype in Splunk for remote Linux inputs using rsyslog?

Super Champion

We are collecting a lot of Linux inputs locally using the Universal Forwarder and Splunk Add-on for Unix and Linux. It works perfectly.
But recently we have got some remote Linux systems sending data via rsyslog.

When I'm using the same monitor stanza from "Splunk_TA_nix" (which we collect locally), the host_segment field is overridden automatically. Also which sourcetype should I assign?

[monitor::///var/log/syslog/my_remote_linux_hostname/cron.log]
host_segment = 4
index = os

In the above setting, how to assign the sourcetype? Also, the host_segment setting is NOT working if I put "linux_messages_syslog". I've looked into "Pretrained sourcetypes", but any suggestions for the best sourcetype would be helpful.

0 Karma

Splunk Employee
Splunk Employee

Hi koshyk,

If you are using the Splunk Add-on for Unix and Linux to collect data, these sourcetypes are supported:

http://docs.splunk.com/Documentation/UnixAddOn/5.2.3/User/SourcetypesandCIMdatamodelinfo

Regarding your questions of how to set or override sourcetype in the input phase, simply add the sourcetype setting in /inputs.conf:

 [monitor::///var/log/syslog/my_remote_linux_hostname/cron.log]
 host_segment = 4
 index = os
sourcetype = syslog

Hope it helps. Thanks!
Hunter

0 Karma

Super Champion

cheers. agree with you. But if I put "syslog", the CIM extractions are lost as it cannot identify if it is a cron or audit file etc.

0 Karma

Champion

We simply use the syslog sourcetype, except for the securelog which we use linux_secure. I didn't see syslog in the pretrained sourcetype list, but linux_secure and linux_messages_syslog are there.

Your host segment looks right to me. What is the host being set as? The syslog server? Since you're not specifying a sourcetype, what sourcetype is being assigned?

0 Karma

Super Champion

the host segment will be overridden if it is a "syslog" . So if I specify "linux_messages_syslog" it is OK, but host_segment is lost and Splunk_TA_nix CIM is lost

0 Karma