Hey all.
Trying to figure out how to clear up my issue. I'm getting two separate time stamps on a syslog entry coming from a Linux box.
As you can see below, it is sending over the FQDN and short name as well.
Oct 21 10:49:53 hyperion.btlab.test Oct 21 13:49:53 hyperion su: pam_unix(su-l:session): session opened for use
Digging around, this looks to be a syslog (using rsyslog) setup.
Here is my line in rsyslog.conf
authpriv.* @prometheus:514
Pretty straight forward, but scratching my head as to why it is being sent over like that.
Modify inputs.conf
inside the stanza where you define the input port, add:
no_appending_timestamp = true
From inputs.conf.spec documentation file:
no_appending_timestamp = true
If this attribute is set to true, then Splunk does NOT append a timestamp and host to received events.
NOTE: Do NOT include this key if you want to append timestamp and host to received events.
You will have to restart the splunk instances on your Forwarders.
Check in the rsyslog.conf, what template is being used, line may look like below
$ActionFileDefaultTemplate ..name..of the temp...
Heya.
Just was looking at that. Here is what is currently set in rsyslog.conf:
$ActionFileDefaultTemplate RSYSLOG_FileFormat
Just started to dig into the rsyslog guides to find out some more, see if i can resolve this.
This might be useful (setting up custom format)
http://unix.stackexchange.com/questions/103218/add-year-to-entries-generated-by-rsyslogd