We are collecting a lot of Linux inputs locally using the Universal Forwarder and Splunk Add-on for Unix and Linux. It works perfectly.
But recently we have got some remote Linux systems sending data via rsyslog.
When I'm using the same monitor stanza from "Splunk_TA_nix" (which we collect locally), the host_segment field is overridden automatically. Also which sourcetype should I assign?
[monitor::///var/log/syslog/my_remote_linux_hostname/cron.log] host_segment = 4 index = os
In the above setting, how to assign the sourcetype? Also, the host_segment setting is NOT working if I put "linux_messages_syslog". I've looked into "Pretrained sourcetypes", but any suggestions for the best sourcetype would be helpful.
If you are using the Splunk Add-on for Unix and Linux to collect data, these sourcetypes are supported:
Regarding your questions of how to set or override sourcetype in the input phase, simply add the sourcetype setting in /inputs.conf:
[monitor::///var/log/syslog/my_remote_linux_hostname/cron.log] host_segment = 4 index = os sourcetype = syslog
Hope it helps. Thanks!
We simply use the syslog sourcetype, except for the securelog which we use linux_secure. I didn't see syslog in the pretrained sourcetype list, but linux_secure and linux_messages_syslog are there.
Your host segment looks right to me. What is the host being set as? The syslog server? Since you're not specifying a sourcetype, what sourcetype is being assigned?