Linux log formatting

rriley · ‎05-29-2012

Can't seem to get Splunk to interpret the RHEL syslog data.
I have tried several different formats:
syslog
linux_syslog_messages
Still only get this:

--splunk-cooked-mode-v3--\x00/x00... forever

Any ideas on this?

I am formatting the forwarding server the same as the indexer.

Ayn · ‎05-29-2012

Your forwarder is sending Splunk cooked data to the indexer, but the port you've configured to the indexer is a regular raw TCP input, not an input for receiving cooked data. You need to remove the TCP input (Manager » Data inputs » TCP) and instead configure a Splunk receiver (Manager » Forwarding and receiving » Receive data) on the same port.

rriley · ‎05-29-2012

forwarder inputs.conf

host=myhost
[monitor:///var/log/messages]
followTail=0
disabled=false
sourcetype=syslog

forwarder outputs.conf

[tcpout]
defaultGroup=myhost_9997
server=myhost
[tcpout:myhost_9997]
autoLB=true
server=myhost:9997

for some reason there is nothing but the server name in the /local/inputs.conf file (odd). I am printing what i see in the manager gui. I have re-statted splunk...

indexer

inputs tcp 9997
Source - accept connections from all hosts yes
no source name override
sourcetype manual syslog

Ayn · ‎05-29-2012

Give us details on the setup. From what you pasted it sounds like you've setup a TCP listener on the indexer but you're forwarding splunktcp data from a Splunk forwarder.

Linux log formatting

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?