Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Forward logs to 3rd party syslog server without additional timestam/oroginated host field

ikulcsar
Communicator
‎06-20-2017 01:54 AM

Hi,

We have a syslog input with non-syslog sourcetype over TCP. Everything looks good in Splunk. However, we have to forward these logs to a 3rd party syslog server.

We are facing with the 2nd and 3rd scenario on these links: (but with tcp input)
http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkEnterprisehandlessyslogdata
https://wiki.splunk.com/Community:Test:How_Splunk_behaves_when_receiving_or_forwarding_udp_data

2nd scenario: Splunk attach the originated host field: 3rd party server doesn't like it...
3rd scenario: attach a new timestamp and the originated host field. 3rd party system can handle, but event getting to be too long.

Is there any way to solve this problem? How to not attach originated host filed or any other suggestion?
Am I miss a documentation about it?

Regards,
István

Tags (1)
0 Karma
Reply

micahkemp
Champion
‎06-20-2017 07:25 AM

Check out syslogSourceType in outputs.conf:

syslogSourceType = <string>
* Specifies an additional rule for handling data, in addition to that 
  provided by the 'syslog' source type.
* This string is used as a substring match against the sourcetype key.  For
  example, if the string is set to 'syslog', then all source types
  containing the string 'syslog' will receive this special treatment.
* To match a source type explicitly, use the pattern
  "sourcetype::sourcetype_name".
    * Example: syslogSourceType = sourcetype::apache_common
* Data which is 'syslog' or matches this setting is assumed to already be in 
  syslog format. 
* Data which does not match the rules has a header, optionally a timestamp 
  (if defined in 'timestampformat'), and a hostname added to the front of 
  the event. This is how Splunk causes arbitrary log data to match syslog 
  expectations.
* Defaults to unset.

Try setting syslogSourceType to the sourcetype of your non-syslog data so Splunk will assume it is already in syslog format (even thought it's not).

Reply

ikulcsar
Communicator
‎06-23-2017 06:48 AM

Thank you. We tried it in our lab with no luck. We plan to test it with the specific, 'real' logs, but it will takes time. There are a lot of other scheduled task now.

Regards,
István

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...