Getting Data In

Hostname lost in forwarded syslog messages

micuzzu
New Member

Hi,
I have a central syslog server, collecting auth.* messages from many Linux hosts in the /var/log/secure file. Then they are forwarded to Splunk by a Universal Forwarder.
The problem is that Splunk sees all these messages with host = "syslog server".

What's the simplest method to use the real originating host, that is always present after date/time:

Jun 23 17:52:36 host01 sshd[12447]: pam_unix(sshd:session): session opened for user jsmith b
y (uid=0)

Tags (1)
0 Karma

yannK
Splunk Employee
Splunk Employee

if you use the "syslog" sourcetype, then the host should be extracted from the events.

To understand the mechanism, look at the $SPLUNK_HOME/etc/default/props.conf [syslog]
and $SPLUNK_HOME/etc/default/transforms.conf [syslog-host]


DEST_KEY = MetaData:Host
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s
FORMAT = host::$1

micuzzu
New Member

I tried on a test Splunk server, loading directly the file /var/log/secure of the syslog central server and it works 😉

Now how can I correct the behaviour on the production Splunk server, receiving forwarded events?

0 Karma

yannK
Splunk Employee
Splunk Employee

Inputs are in inputs.conf (in $PSLUNK_HOME/etc/apps//default or /local, or in the $SPLUNK_HOME/etc/system/local)

Try to change the sourcetype to syslog to get the extraction.

micuzzu
New Member

OK, in fact they are now actually indexed using "linux_secure" sourcetype.
Where are defined input data for forwarded events (I'm a newbie)?

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...