All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

rfc5424_syslog

0acid0
New Member
‎03-10-2014 08:24 AM

Hi,

i'd install the "Security Intelligence for Vormetric Data Firewall (TM)" app to our running splunk system and I want to use the predefined tcp://5524 source.

inputs.conf

[tcp://5514]
disabled = false
index = myindex
connection_host = dns
sourcetype = rfc5424_syslog

If i now try to search the sourcetype "rfc5424_syslog" i have no results.
The search about the "source=tcp:5541" shows for the vormetric data the sourcetype "syslog".

Overwrites splunk the sourcetype? Why is it syslog not rfc5424_syslog? In the inputs.conf the sourcetype is correct. Because this issue the Vormetric app doesn't work.

I hope anybody have an idea. Thanks in advance.

Regards Arne

0 Karma
Reply

steveta_uk
Explorer
‎08-28-2014 01:13 AM

The Vormetric app includes the definitions for rfc5424_syslog so no other apps are required.

There is a test for valid rfc5424 format in the default/transforms.conf installed with the app, which looks like this:





[test_for_syslog]

REGEX = ^<\d+>[^1]

FORMAT = sourcetype::syslog

DEST_KEY = MetaData:Sourcetype

What this does is validate the syslog header against the definition, which you can see here:

http://tools.ietf.org/html/rfc5424

If the header doesn't match, this rule changes the format back to plain syslog, which may be what you are seeing.

How did you genenerate the RFC5424 format? Have you selected it in the server or agent log setup?

0 Karma
Reply

dmillis
Splunk Employee
Splunk Employee
‎05-19-2014 12:35 PM

What other apps have you installed? For example, have you installed the 'rfc5424' app? I suspect that other inputs and/or props entries are conflicting with what you created. You can use btool (http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Usebtooltotroubleshootconfigurati...) to determine where the various properties are coming from, using something like this:

splunk cmd btool props list --debug | more

(and then look for the stanzas containing 5541, and the associated properties). The Splunk on Splunk (SoS) app has a prettier UI for investigating these sorts of configuration issues.

0 Karma
Reply

kaufmanm
Communicator
‎03-10-2014 08:52 AM

Try changing the sourcetype in props.conf:

e.g. This stanza:

source::tcp:5541
sourcetype = rfc5424_syslog

http://answers.splunk.com/answers/39176/change-the-syslog-sourcetype

0 Karma
Reply

0acid0
New Member
‎03-10-2014 10:30 AM

ty for help but it doesn't work

i'd try

[source::tcp:5541]
sourcetype = rfc5424_syslog

and

[source::host:xx.xxx.xx.xxx}
sourcetype = rfc5424_syslog

as well... but no change happend... 😕

which props.conf should i use... the app props.conf or system/local/props.conf ?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...