All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to change assigned sourcetype for Add-on for Unix and Linux from syslog

ejwade
Contributor
‎02-02-2018 03:27 PM

We have the Splunk Add-on for Unix and Linux installed on a deployment server, and pushed out to many Linux hosts. Currently, we're having issues with the following stanza in the inputs.conf file:

[monitor:///var/log]
whitelist=(.log|log$|messages|secure|auth|mesg$|cron$|acpid$|.out)
blacklist=(lastlog|anaconda.syslog)
index=os
disabled = 0

This directory is monitored using universal forwarders, and sent to indexers to be parsed. At some point, the sourcetype "syslog" is given to this log data. Is this common? I thought I'd seen /var/log/message as sourcetype="messages" in the past.

0 Karma
Reply

micahkemp
Champion
‎02-05-2018 08:59 AM

Check to see if you have the appropriate tag values for the events with the syslog sourcetype. As long as those are correct, the CIM should be just fine with that data. The CIM doesn't (by default) care about sourcetypes.

0 Karma
Reply

ejwade
Contributor
‎02-05-2018 10:32 AM

You're correct. And the corresponding App expecting the sourcetype=syslog. Thanks for your help, @micahkemp.

0 Karma
Reply

micahkemp
Champion
‎02-02-2018 06:39 PM

Which values do you see for source for the sourcetype syslog? That is indeed a common sourcetype, but I'm not sure all of those files should have that sourcetype in the end. The app's props.conf sets different sourcetypes based on the filename.

I don't see any reference to a messages sourcetype in the TA.

Reply

ejwade
Contributor
‎02-05-2018 08:52 AM

I see the filepath for the log (e.g., /var/log/messages) as the source, but the sourcetype gets tagged as "syslog". You're correct - the TA documentation does not specify messages sourcetype, but I was surprised to see "syslog". Curious if this was expected behavior, and whether it works with the App and CIM.

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top