Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

More syslog forwarding fun...

Steve_Litras
Path Finder
‎09-30-2010 10:23 PM

So I've got forwarding of splunk data set up for certain systems in my environment to go to a 3rd party, in addition to through splunk. However, it looks like the host field doesn't get included in that forward, so the 3rd party just sees all this data coming from one system, with no differentiation of where the events originally came from (they're coming from a light forwarder, through an intermediate forwarding layer, into the indexing layer and being forwarded at the index layer via syslog).

Is the host field being dropped? Is there a way to add it back in?

Tags (2)
0 Karma
Reply

gfriedmann
Communicator
‎02-04-2011 09:15 PM

I've worked with multiple systems and here are two things to try individually or together 1) Make sure the log message outputed by the output will include the original origin IP address as the first part of the message... just after the priority and timestamp if it is present. in syslog-ng, this sort of formatting looks like "template("$STAMP $HOST $MSG\n")"

2) Try using TCP. Some receivers take TCP transport as a cue that the soruce might be a forwarder with some intelligence.

Regarding truncation before an expected 1.5k max, i have seen truncation at half the set value in some systems due to UTF16 representation doubling the amount of interpreted length somewhere along the way.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-01-2010 05:42 AM

Make sure you are not setting syslogSourceType in your output group configuration. You should probably also set priority and timestampformat. I believe that setting syslogSourceType to something other than "syslog" (or whatever the default is) stops Splunk from prepending the host.

You will also need to set timestampformat if you want Splunk to add the Splunk event timestamp, or you can try to count on the target server to prepend the current time.

0 Karma
Reply

Steve_Litras
Path Finder
‎10-01-2010 05:59 PM

I'm not using setting syslogSourceType anywhere in my config. I did some tcpdumps on the server, and it looks like all the syslog output it getting truncated, but not at a consistent length (well under the 1.5K MTU). I haven't changed the default truncation value.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...