- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Add-on for Unix and Linux: Why are syslogs from Linux servers being returned as raw events?
sabaKhadivi
Path Finder
09-14-2018
02:05 AM
As I installed linux TA and app , received logs are in the form of raw event and they aren't indexed with this TA.
Linux servers send logs to universal forwarder by syslog, and when i search in the related index, logs seem to be raw events, and field extraction hasn't happened.
The TA is most downloaded in Splunkbase. What is the solution?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

richgalloway

SplunkTrust
09-14-2018
04:04 AM
The Splunk TA for Linux does not expect events to arrive via syslog. Events sent via syslog are in a very different format for which you will have to craft your own props.conf settings.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

renjith_nair
Legend
09-14-2018
04:02 AM
@sabaKhadivi,
Splunk TA for linux contains a set of scripted inputs to collect system information such as cpu,memory,process etc from the system.
Are you looking for RFC5424 Syslog ?
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
