Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I modify syslog host to be FQDN?

bfeeny
New Member
‎02-09-2018 09:21 PM

Splunk 7.0.2
Universal forwarder running on a linux box splunk2.lab.local
This is sending a monitor /var/log to a search at splunk.lab.local
Events are showing up as host splunk2.lab.local except for source type syslog which is coming in as just splunk2

I would like to normalize this so both hosts are splunk2.lab.local.

I see in props.conf on the search box:

[syslog]
TRANSFORM = syslog-host

I tried just making that:

[syslog]
TRANSFORM =

What is the best way to handle this? Should I do something on the linux host that will make it log its hostname in syslog as FQDN? Is there a way to handle it where maybe I can setup an alias or similar so that two values can be merged?

Tags (1)
0 Karma
Reply

Yunagi
Communicator
‎02-13-2018 01:44 AM

I had a similar issue. Since it is recommended to use a syslog server instead of sending syslog straight to Splunk, I put up an rsyslog server. My rsyslog server had the option %FROMHOST% to put incoming syslog traffic into

/data/<reverse dns or ip address>/syslog

So each syslog client had a log file like /data/test.local/syslog (if reverse DNS was available) or /data/192.168.0.10/syslog.

The Splunk directory monitor had the option "host_segment = 2", so the host field should either be the FQDN or the ip address. However, the syslog sourcetype overwrote the host value via "TRANSFORM = syslog-host".

I did not like this behaviour. So like you I made the following changes via etc/system/local/props.conf on my heavy forwarder (because that's where the indexing phase took place):

[syslog]
TRANSFORM =

So I think you are handling this just fine.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...