Getting Data In

RSyslog, Dynamic Filenames, and Host_Regex

milesbrennan
Path Finder

Hi Splunkers,

We're using Rsyslog to collect many of our appliance syslog streams, and then bringing them into Splunk on our heavy forwarder.

However the issue we have is all "host" entries are using the heavy forwarder hostname, and not the syslog/appliance hostname.

We've adjusted our Rsyslog configuration file to use dynamic filenames, with the following configuration:

#  vi /etc/rsyslog.d/splunk.conf
template (name="websense-proxy" type="string" string="/var/log/splunk/websense/%HOSTNAME%.log")
if $programname == "vendor=Forcepoint" and $msg contains "product=Security" then { action (type="omfile" dynafile="websense-proxy") stop }

This works fine, and the log files are appearing correctly as:

/var/log/splunk/websense/proxy01.log
/var/log/splunk/websense/proxy02.log

However our "host_regex" does not work properly, and should be picking up the filename as the hostname (minus the file extention).

[monitor://var/log/splunk/websense/.*log]
index = proxy
sourcetype = websense
host_regex = .*\/(.+)\.log

We've gone through the inputs.conf / host_regex documentation and several posts here, but can't get it working with Splunk properly.

However it seems to be working fine in Regex101 - https://regex101.com/r/ayZak8/3

In Splunk we're expecting to see host proxy01 and proxy02.

0 Karma
1 Solution

milesbrennan
Path Finder

I was able to get this working after changing monitor stanza to three "///" i.e.

This works:

[monitor:///var/log/splunk/websense-*log]
index = proxy
sourcetype = websense
host_regex = .*\-(.+)\.log

However using a directory continues to fail:

[monitor:///var/log/splunk/websense/*log]
index = proxy
sourcetype = websense
host_regex = .*\/(.+)\.log

So I'm forced to place all the logs into the main directory, I can't move them into their own "sourcetype" subdirectories - not a major issue, however it would be a little neater and help my OCD.... 😉

The main point however, is the host_regex is now working on the "*" wildcard, and hostnames are updating correctly in Splunk

So in /etc/rsyslog.d/splunk.conf, we have the declarations like these, which makes the filtering more dynamic:

template (name="fortigate"    type="string" string="/var/log/splunk/fortigate-%HOSTNAME%.log")
template (name="fortiweb"     type="string" string="/var/log/splunk/fortiweb-%HOSTNAME%.log")
template (name="fortiwebcef"  type="string" string="/var/log/splunk/fortiwebcef-%HOSTNAME%.log")
template (name="mfa"          type="string" string="/var/log/splunk/mfa-%HOSTNAME%.log")


if $msg contains "devid=FGT" then           { action (type="omfile" dynafile="fortigate") stop }
if $msg contains "device_id=FVVM" then      { action (type="omfile" dynafile="fortiweb") stop }
if $programname == "CEF" and $msg contains "FortiWeb" then       { action (type="omfile" dynafile="fortiwebcef") stop }
if $programname == "pfsvc" then             { action (type="omfile" dynafile="mfa") stop }

Thanks for all posts / answers.

Cheers

View solution in original post

0 Karma

milesbrennan
Path Finder

I was able to get this working after changing monitor stanza to three "///" i.e.

This works:

[monitor:///var/log/splunk/websense-*log]
index = proxy
sourcetype = websense
host_regex = .*\-(.+)\.log

However using a directory continues to fail:

[monitor:///var/log/splunk/websense/*log]
index = proxy
sourcetype = websense
host_regex = .*\/(.+)\.log

So I'm forced to place all the logs into the main directory, I can't move them into their own "sourcetype" subdirectories - not a major issue, however it would be a little neater and help my OCD.... 😉

The main point however, is the host_regex is now working on the "*" wildcard, and hostnames are updating correctly in Splunk

So in /etc/rsyslog.d/splunk.conf, we have the declarations like these, which makes the filtering more dynamic:

template (name="fortigate"    type="string" string="/var/log/splunk/fortigate-%HOSTNAME%.log")
template (name="fortiweb"     type="string" string="/var/log/splunk/fortiweb-%HOSTNAME%.log")
template (name="fortiwebcef"  type="string" string="/var/log/splunk/fortiwebcef-%HOSTNAME%.log")
template (name="mfa"          type="string" string="/var/log/splunk/mfa-%HOSTNAME%.log")


if $msg contains "devid=FGT" then           { action (type="omfile" dynafile="fortigate") stop }
if $msg contains "device_id=FVVM" then      { action (type="omfile" dynafile="fortiweb") stop }
if $programname == "CEF" and $msg contains "FortiWeb" then       { action (type="omfile" dynafile="fortiwebcef") stop }
if $programname == "pfsvc" then             { action (type="omfile" dynafile="mfa") stop }

Thanks for all posts / answers.

Cheers

0 Karma

sbbadri
Motivator

@milesbrennan
try below,
[monitor://var/log/splunk/websense/*.log]
index = proxy
sourcetype = websense
host_regex =/var/log/splunk/websense/(.+).log

0 Karma

adonio
Ultra Champion

Hello there,

will recommend to use slightly different method.
have the rsyslog configured to have the host name in a directory path, example:

/var/log/splunk/websense/<hostName>/*.log

now you can use the wonderful host_segment conf
in this case, inputs.conf will look like that:

 [monitor://var/log/splunk/websense/.../*.log]
  index = proxy
  sourcetype = websense
  host_segment = 5

and you are ready to rock and roll

hope it helps

0 Karma

jkat54
SplunkTrust
SplunkTrust

.* does not work this way in a monitor stanza. As the documentation of inputs.conf says:

Note concerning wildcards and monitor:
* You can use wildcards to specify your input path for monitored input. Use
  "..." for recursive directory matching and "*" for wildcard matching in a
  single directory segment.
* "..." recurses through directories. This means that /foo/.../bar will match
  foo/bar, foo/1/bar, foo/1/2/bar, etc.
* You can use multiple "..." specifications in a single input path. For
  example: /foo/.../bar/...
* The asterisk (*) matches anything in a single path segment; unlike "...", it
  does not recurse. For example, /foo/*/bar matches the files /foo/bar,
  /foo/1/bar, /foo/2/bar, etc. However, it does not match /foo/1/2/bar.
  A second example: /foo/m*r/bar matches /foo/mr/bar, /foo/mir/bar,
  /foo/moor/bar, etc.
* You can combine "*" and "..." as needed: foo/.../bar/* matches any file in
  the bar directory within the specified path.

Therefore, this will work

 [monitor://var/log/splunk/websense/*.log]
 index = proxy
 sourcetype = websense
 host_regex = .*\/(.+)\.log
0 Karma

milesbrennan
Path Finder

I've progressed a little further on this, it fails to work when I use a wildcard "*" in the monitor stanza, and works perfectly when I use an absolute path / filename.

This fails:

[monitor://var/log/splunk/websense/.*log]
index = proxy
sourcetype = websense
host_regex = .*\/(.+)\.log

But this works:

[monitor://var/log/splunk/websense/proxy01.log]
index = proxy
sourcetype = websense
host_regex = .*\/(.+)\.log

This indexes host=proxy01

However this means I would need a unique stanza for every single file I want to index, which doesn't make sense, surely this can be more dynamic.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...