All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Add-on for Unix and Linux: Why are we seeing multiple hostnames for /var/log logfiles on Linux?

cmeerbeek
Path Finder
‎10-16-2015 06:01 AM

We have installed the Splunk Add-On for linux and enabled the /var/log monitor-stanza.
The data is stored in the correct syslog-sourcetype, but somehow the hostnames are mixed up.
/var/log/secure and /var/log/cron give us the FQDN but /var/log/message gives us the shortname for the same machine!
All logfiles have the shortname in every event, so this cannot be the issue.

Anyone seen this before and know how to solve this?

Reply
1 Solution
Solved! Jump to solution
Solution

markbarber21
Path Finder
‎02-02-2017 02:40 PM

The "syslog-host" transform is applied, which overrides the host from the file output itself.

[syslog-host]
 DEST_KEY = MetaData:Host
 REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s
 FORMAT = host::$1

See similar question here: https://answers.splunk.com/answers/43214/syslog-server-to-splunk-showing-incorrect-host-during-splun...

View solution in original post

Reply
Solved! Jump to solution
Solution

markbarber21
Path Finder
‎02-02-2017 02:40 PM

The "syslog-host" transform is applied, which overrides the host from the file output itself.

[syslog-host]
 DEST_KEY = MetaData:Host
 REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s
 FORMAT = host::$1

See similar question here: https://answers.splunk.com/answers/43214/syslog-server-to-splunk-showing-incorrect-host-during-splun...

Reply
Solved! Jump to solution

cmeerbeek
Path Finder
‎10-23-2015 06:18 AM

The answer seems to be the fact that /var/log/messages is of sourcetype syslog and syslog gets a special treatment and one is the change of host field...
If someone can confirm this, case closed 🙂

0 Karma
Reply
Solved! Jump to solution

acharlieh
Influencer
‎10-23-2015 07:08 AM

Built into Splunk for the syslog sourcetype is indeed a transformation to extract the host name from the log entry. The reason for this is often syslog from various devices is sent to a collection server before being sent on to Splunk (see http://www.georgestarcher.com/splunk-success-with-syslog/ ). Obviously the events you'd want to be labeled with the original device names and not the syslog server's hostname.

Edit to add... if you have access to the CLI on the Splunk server, you can use btool to check this out... first with $SPLUNK_HOME/bin/splunk btool props list syslog to see the line TRANSFORMS = syslog-host and then looking for that resolved transforms stanza as well.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...