Re: Hostname lost in forwarded syslog messages

micuzzu · ‎06-23-2014

Hi,
I have a central syslog server, collecting auth.* messages from many Linux hosts in the /var/log/secure file. Then they are forwarded to Splunk by a Universal Forwarder.
The problem is that Splunk sees all these messages with host = "syslog server".

What's the simplest method to use the real originating host, that is always present after date/time:

Jun 23 17:52:36 host01 sshd[12447]: pam_unix(sshd:session): session opened for user jsmith b
y (uid=0)

yannK · ‎06-23-2014

if you use the "syslog" sourcetype, then the host should be extracted from the events.

To understand the mechanism, look at the $SPLUNK_HOME/etc/default/props.conf [syslog]
and $SPLUNK_HOME/etc/default/transforms.conf [syslog-host]

DEST_KEY = MetaData:Host REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s FORMAT = host::$1

micuzzu · ‎06-26-2014

I tried on a test Splunk server, loading directly the file /var/log/secure of the syslog central server and it works 😉

Now how can I correct the behaviour on the production Splunk server, receiving forwarded events?

yannK · ‎06-24-2014

Inputs are in inputs.conf (in $PSLUNK_HOME/etc/apps//default or /local, or in the $SPLUNK_HOME/etc/system/local)

Try to change the sourcetype to syslog to get the extraction.

micuzzu · ‎06-23-2014

OK, in fact they are now actually indexed using "linux_secure" sourcetype.
Where are defined input data for forwarded events (I'm a newbie)?

Hostname lost in forwarded syslog messages

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation