All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to change assigned sourcetype for Add-on for Unix and Linux from syslog

ejwade
Contributor
‎02-02-2018 03:27 PM

We have the Splunk Add-on for Unix and Linux installed on a deployment server, and pushed out to many Linux hosts. Currently, we're having issues with the following stanza in the inputs.conf file:

[monitor:///var/log]
whitelist=(.log|log$|messages|secure|auth|mesg$|cron$|acpid$|.out)
blacklist=(lastlog|anaconda.syslog)
index=os
disabled = 0

This directory is monitored using universal forwarders, and sent to indexers to be parsed. At some point, the sourcetype "syslog" is given to this log data. Is this common? I thought I'd seen /var/log/message as sourcetype="messages" in the past.

0 Karma
Reply

micahkemp
Champion
‎02-05-2018 08:59 AM

Check to see if you have the appropriate tag values for the events with the syslog sourcetype. As long as those are correct, the CIM should be just fine with that data. The CIM doesn't (by default) care about sourcetypes.

0 Karma
Reply

ejwade
Contributor
‎02-05-2018 10:32 AM

You're correct. And the corresponding App expecting the sourcetype=syslog. Thanks for your help, @micahkemp.

0 Karma
Reply

micahkemp
Champion
‎02-02-2018 06:39 PM

Which values do you see for source for the sourcetype syslog? That is indeed a common sourcetype, but I'm not sure all of those files should have that sourcetype in the end. The app's props.conf sets different sourcetypes based on the filename.

I don't see any reference to a messages sourcetype in the TA.

Reply

ejwade
Contributor
‎02-05-2018 08:52 AM

I see the filepath for the log (e.g., /var/log/messages) as the source, but the sourcetype gets tagged as "syslog". You're correct - the TA documentation does not specify messages sourcetype, but I was surprised to see "syslog". Curious if this was expected behavior, and whether it works with the App and CIM.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...