Getting two time stamps in a syslog entry - how to...

thecoffeeguy14 · ‎10-21-2015

Hey all.

Trying to figure out how to clear up my issue. I'm getting two separate time stamps on a syslog entry coming from a Linux box.

As you can see below, it is sending over the FQDN and short name as well.

Oct 21 10:49:53 hyperion.btlab.test Oct 21 13:49:53 hyperion su: pam_unix(su-l:session): session opened for use

Digging around, this looks to be a syslog (using rsyslog) setup.
Here is my line in rsyslog.conf

authpriv.* @prometheus:514

Pretty straight forward, but scratching my head as to why it is being sent over like that.

woodcock · ‎10-24-2015

Modify inputs.conf inside the stanza where you define the input port, add:

no_appending_timestamp = true

From inputs.conf.spec documentation file:

no_appending_timestamp = true
If this attribute is set to true, then Splunk does NOT append a timestamp and host to received events.
NOTE: Do NOT include this key if you want to append timestamp and host to received events.

You will have to restart the splunk instances on your Forwarders.

somesoni2 · ‎10-21-2015

Check in the rsyslog.conf, what template is being used, line may look like below

$ActionFileDefaultTemplate ..name..of the temp...

thecoffeeguy14 · ‎10-21-2015

Heya.
Just was looking at that. Here is what is currently set in rsyslog.conf:

$ActionFileDefaultTemplate RSYSLOG_FileFormat

Just started to dig into the rsyslog guides to find out some more, see if i can resolve this.

somesoni2 · ‎10-22-2015

This might be useful (setting up custom format)
http://unix.stackexchange.com/questions/103218/add-year-to-entries-generated-by-rsyslogd

Getting two time stamps in a syslog entry - how to correct

Get Schooled with Splunk Education: Explore Our Latest Courses

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)