Getting Data In
Highlighted

Getting two time stamps in a syslog entry - how to correct

New Member

Hey all.

Trying to figure out how to clear up my issue. I'm getting two separate time stamps on a syslog entry coming from a Linux box.

As you can see below, it is sending over the FQDN and short name as well.

Oct 21 10:49:53 hyperion.btlab.test Oct 21 13:49:53 hyperion su: pam_unix(su-l:session): session opened for use

Digging around, this looks to be a syslog (using rsyslog) setup.
Here is my line in rsyslog.conf

authpriv.* @prometheus:514

Pretty straight forward, but scratching my head as to why it is being sent over like that.

0 Karma
Highlighted

Re: Getting two time stamps in a syslog entry - how to correct

SplunkTrust
SplunkTrust

Check in the rsyslog.conf, what template is being used, line may look like below

$ActionFileDefaultTemplate ..name..of the temp...
0 Karma
Highlighted

Re: Getting two time stamps in a syslog entry - how to correct

New Member

Heya.
Just was looking at that. Here is what is currently set in rsyslog.conf:

$ActionFileDefaultTemplate RSYSLOG_FileFormat

Just started to dig into the rsyslog guides to find out some more, see if i can resolve this.

0 Karma
Highlighted

Re: Getting two time stamps in a syslog entry - how to correct

SplunkTrust
SplunkTrust
0 Karma
Highlighted

Re: Getting two time stamps in a syslog entry - how to correct

Esteemed Legend

Modify inputs.conf inside the stanza where you define the input port, add:

no_appending_timestamp = true

From inputs.conf.spec documentation file:

no_appending_timestamp = true
If this attribute is set to true, then Splunk does NOT append a timestamp and host to received events.
NOTE: Do NOT include this key if you want to append timestamp and host to received events.

You will have to restart the splunk instances on your Forwarders.

0 Karma