- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: host is not being extracted from linux_secure
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
host is not being extracted from linux_secure
Hi there,
We are forwarding all of our /var/log/secure logs to a syslog server "syslogserver.local " and from there it's being forwarded to Splunk over a TCP port.
The Splunk is configured as a single instance.
in Data Inputs I created a TCP listener and the source type is linux_secure.
In the search app most of the fields are getting extracted except the hostname "myhost " .
The host field only shows the name of that syslog server instead of the name of the server that alert was generated.
<85>Apr 25 15:22:03 myhost unix_chkpwd[20316]: password check failed for user (jon.doe)
date_hour = 15 date_mday = 25 date_minute = 22 date_month = april date_second = 3 date_wday = thursday date_year = 2019 date_zone = local eventtype = err0r error eventtype = nix_errors error eventtype = nix_security os unix host = syslogserver local index = linux_index linecount = 1 pid = 20316 process = unix_chkpwd source = tcp:40515 sourcetype = linux_secure splunk_server = splunk.local src = syslogserver.local tag = error tag = os tag = unix timeendpos = 20 timestartpos = 4
As you can see, the value of the host and src are the same.
syslogserver.local is the server that aggregates all the syslogs. and there is no field that shows "myhost"
Any ideas of where the problem might be?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I Just deleted both Splunk_TA_nix and TA-linux_secure.
My source type is syslog and it extracts the host values and I see no difference from when I had those TAs.
My selected fields and interesting fields are the same before and after deleting those TAs with syslog source type.
Now I'm wondering what difference does it make for having those TA's?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @vishaltaneja07011993,
actually, I already have it installed, but it doesn't make any difference.
When the source type is syslog, it can extract the host values.
I already tried the following:
App context=TA-linux_secure with source type linux_secure
App context=Splunk_TA_nix with source type linux_secure
They both can't extract the host value.
But if I choose syslog as source type, it can extract the host value no matter what app context I select.
So what is the right of doing this?
shouldn't we change something in transform.conf or somewhere else?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @arsalanj
Try this add-on specifically for Linux Secure
https://splunkbase.splunk.com/app/3476/
Mostly it will help you out
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
