How do I modify syslog host to be FQDN?

bfeeny · ‎02-09-2018

Splunk 7.0.2
Universal forwarder running on a linux box splunk2.lab.local
This is sending a monitor /var/log to a search at splunk.lab.local
Events are showing up as host splunk2.lab.local except for source type syslog which is coming in as just splunk2

I would like to normalize this so both hosts are splunk2.lab.local.

I see in props.conf on the search box:

[syslog]
TRANSFORM = syslog-host

I tried just making that:

[syslog]
TRANSFORM =

What is the best way to handle this? Should I do something on the linux host that will make it log its hostname in syslog as FQDN? Is there a way to handle it where maybe I can setup an alias or similar so that two values can be merged?

Yunagi · ‎02-13-2018

I had a similar issue. Since it is recommended to use a syslog server instead of sending syslog straight to Splunk, I put up an rsyslog server. My rsyslog server had the option %FROMHOST% to put incoming syslog traffic into

/data/<reverse dns or ip address>/syslog

So each syslog client had a log file like /data/test.local/syslog (if reverse DNS was available) or /data/192.168.0.10/syslog.

The Splunk directory monitor had the option "host_segment = 2", so the host field should either be the FQDN or the ip address. However, the syslog sourcetype overwrote the host value via "TRANSFORM = syslog-host".

I did not like this behaviour. So like you I made the following changes via etc/system/local/props.conf on my heavy forwarder (because that's where the indexing phase took place):

[syslog]
TRANSFORM =

So I think you are handling this just fine.

How do I modify syslog host to be FQDN?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases