Hello all,

I collect all of my *nix logs into a central server that I has a UF installed on it.
I have the splunk_ta_nix installed on my single instance indexer/sh as well as installed at the UF.

inputs.conf on the UF only has the [monitor:///var/log] stanza enabled

Everything from the centralized location for /var/log/messages is getting the sourcetype of "syslog" and the host field is populating properly based off of the contents of the event rather then with the hostname of the central log server.

Everything from /var/log/secure is getting the sourcetype of linux_secure but every event is populated with the hostname of the central log server in the host field regardless of contents of the event.

I added the following to Splunk_TA_nix/local/transforms.conf

[linux_secure_host]
REGEX = ^\w+\s\d{2}\s\d{2}:\d{2}:\d{2}\s(\S+)
FORMAT = host::$1
DEST_KEY = MetaData:Host

And this to Splunk_TA_nix/local/props.conf

[linux_secure]
TRANSFORMS-linux_secure_host = linux_secure_host

And everything from the centralized /var/log/secure now has the correct host field value. Hoo-ray!

Lastly, I attempted to tackle all of the auditd logs that live in /var/log/audit/audit.log
These events get the sourcetype of linux_audit and show the same behaviour as the previous example I was able to fix, so I edited transforms.conf like so

[linux_audit_host]
REGEX = \snode=(\S+)
FORMAT = host::$1
DEST_KEY = MetaData:Host

and props.conf like this

[linux_audit]
TRANSFORMS-linux_audit_host = linux_audit_host

but i have had no luck populating the correct value into the host field for the events that go into this sourcetype

Here is an example of a log from /var/log/audit/audit.log

node=ipa01.test.linux type=USER_END msg=audit(1505793661.317:6773): pid=13781 uid=0 auid=0 ses=917 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

Any help with this issue would be amazing.