Archive

How to get segregated hostname from logs coming onto Heavy forwarder on single syslog 515 port into splunk

dikshaj
Engager

I am trying to integrate few servers into Splunk. The servers send syslog data only. Earlier I was having two servers(log sources), so I made the input traffic to come on port 514 and 515 . I used two port to get two host names in the logs. But now the servers count is about 5 servers and I dont feel like giving another 5 separate ports to this 5 servers for getting different host name.

I want to use single port say port 514 as input to my HF for n number of server, and get the n distinguish HOSTs. Can I anyone suggest how can I acheive this in splunk.

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ dikshaj,
if you want to ingest syslogs from only a set of servers, you have to follo indications of @nickhills.
If instead you want to ingest syslogs from all the servers, the easiest way to ingest syslogs from different servers is to receive all of them on the same port and then override host value using a regex.
In other words, on Heavy Forwarder you have to add a props.conf stanza (located in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/) like this:

[your_sourcetype]
TRANSFORMS-override_host = override_host

and in a transforms.conf stanza:

[override_host]
REGEX = <your_regex>
FORMAT = host::$1
DEST_KEY = MetaData:Host

Usually syslogs of all servers have hostname after the timestamp and/or IP address, to be more sure check this regex (if you want share an example and I can help).
For more infos see at https://docs.splunk.com/Documentation/SplunkCloud/8.0.1/Data/Overridedefaulthostassignments .

Ciao.
Giuseppe

0 Karma

klaxdal
Contributor

Could you not use Rsyslog - if I understand the question - you want the syslog to create unique host information ?

$template RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log"

Then apply this template to messages coming from remote hosts :

$RuleSet remote
. ?RemoteHost

Then have Splunk then monitor the entire /var/syslog/hosts/

0 Karma

nickhills
Ultra Champion

Take a look here:
https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/Monitornetworkports

Specifically "Specify input settings"

If you are configuring using inputs.conf you should add:

connection_host = ip | dns | none 

"ip" sets the host to the IP address of the remote server.
"dns" sets the host to the DNS entry of the remote server.
"none" leaves the host as specified - ie your HF

If my comment helps, please give it a thumbs up!
0 Karma

dikshaj
Engager
0 Karma