Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I avoid from adding an original hostname(or, IP address) to _SYSLOG_ROUGING event when forwarding a third party server?

Masa
Splunk Employee
Splunk Employee
‎01-31-2019 03:03 PM

How can I avoid from adding an original hostname(or, IP address) to _SYSLOG_ROUGING event when forwarding a third party server?

I can see that Splunk add host information to original syslog event when using _SYSLOG_ROUTING to forward syslog events to a third party server?

Below is an example added the server's IP address 192.168.10.111 which was already in the original event.

192.168.10.111 Mar 16 00:01:29 192.168.10.111 postfix/qmgr[1106]: EA11004022: from=, size=3514, nrcpt=1 (queue active)

How can I remove the host name?

Tags (1)
0 Karma
Reply

Masa
Splunk Employee
Splunk Employee
‎01-31-2019 03:09 PM

Probably you're using non-syslog sourcetype. In that case, try syslogSourceType attribute in outputs.conf. This should avoid adding the originated hostname. 

syslogSourceType = <string>
* Specifies an additional rule for handling data, in addition to that 
  provided by the 'syslog' source type.
* This string is used as a substring match against the sourcetype key. For
  example, if the string is set to "syslog", then all sourcetypes
  containing the string 'syslog' receive this special treatment.
* To match a sourcetype explicitly, use the pattern
  "sourcetype::sourcetype_name".
    * Example: syslogSourceType = sourcetype::apache_common
* Data that is "syslog" or matches this setting is assumed to already be in 
  syslog format. 
* Data that does not match the rules has a header, optionally a timestamp 
  (if defined in 'timestampformat'), and a hostname added to the front of 
  the event. This is how Splunk software causes arbitrary log data to match syslog expectations.
* No default.

For more detail,
Official Doc:
https://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkEnterprisehandlessyslogdata
Community Wiki: (old)
https://wiki.splunk.com/Community:Test:How_Splunk_behaves_when_receiving_or_forwarding_udp_data

alt text

Preview file
231 KB
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...