Getting Data In

Set hostname correctly for SYSLOG input coming into Forwarder

castle1126
Communicator

I have a Linux forwarder running Splunk 4.1.2. This system uses TCP ports to listen for SYSLOG data from certain devices. When the log data comes in via these ports they are indexed nicely in Splunk. But the host value for these events are set to the Forwarder's host name. Is there a way I can REGEX the incoming SYSLOG information to grab the IP address near the beginning of the SYSLOG data, and set the host to this value?

Thanks!

Tags (1)
1 Solution

tgow
Splunk Employee
Splunk Employee

Modifying the props.conf and transforms.conf on the Splunk Indexer should do the trick.

Configure a dynamically extracted host name for any source or sourcetype via transforms.conf and props.conf. Edit these files in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see "About configuration files" in this manual. Edits to transforms.conf

Add your custom stanza to $SPLUNK_HOME/etc/system/local/transforms.conf. Configure your stanza as follows:

[$UNIQUE_STANZA_NAME] DEST_KEY = MetaData:Host REGEX = $YOUR_REGEX FORMAT = host::$1

Fill in the stanza name and the regex fields with the correct values for your data.

Leave DEST_KEY = MetaData:Host to write a value to the host:: field. FORMAT = host::$1 writes the REGEX value into the host:: field.

Note: Name your stanza with a unique identifier (so it is not confused with a stanza in $SPLUNK_HOME/etc/system/default/transforms.conf). Edits to props.conf

Create a stanza in $SPLUNK_HOME/etc/system/local/props.conf to map the transforms.conf regex to the source type in props.conf.

[] TRANSFORMS-$name=$UNIQUE_STANZA_NAME

can be:

  1. , the sourcetype of an event
  2. host::, where is the host for an event
  3. source::, where is the source for an event

$name is whatever unique identifier you want to give to your transform.

$UNIQUE_STANZA_NAME must match the stanza name of the transform you just created in transforms.conf.

Note: Optionally add any other valid attribute/value pairs from props.conf when defining your stanza. This assigns the attributes to the you have set. For example, if you have custom line-breaking rules to set for the same , append those attributes to your stanza.

Follow this link for some great examples:

http://www.splunk.com/base/Documentation/4.1.5/admin/Setthevalueofhostbasedoneventdata

View solution in original post

tgow
Splunk Employee
Splunk Employee

Modifying the props.conf and transforms.conf on the Splunk Indexer should do the trick.

Configure a dynamically extracted host name for any source or sourcetype via transforms.conf and props.conf. Edit these files in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see "About configuration files" in this manual. Edits to transforms.conf

Add your custom stanza to $SPLUNK_HOME/etc/system/local/transforms.conf. Configure your stanza as follows:

[$UNIQUE_STANZA_NAME] DEST_KEY = MetaData:Host REGEX = $YOUR_REGEX FORMAT = host::$1

Fill in the stanza name and the regex fields with the correct values for your data.

Leave DEST_KEY = MetaData:Host to write a value to the host:: field. FORMAT = host::$1 writes the REGEX value into the host:: field.

Note: Name your stanza with a unique identifier (so it is not confused with a stanza in $SPLUNK_HOME/etc/system/default/transforms.conf). Edits to props.conf

Create a stanza in $SPLUNK_HOME/etc/system/local/props.conf to map the transforms.conf regex to the source type in props.conf.

[] TRANSFORMS-$name=$UNIQUE_STANZA_NAME

can be:

  1. , the sourcetype of an event
  2. host::, where is the host for an event
  3. source::, where is the source for an event

$name is whatever unique identifier you want to give to your transform.

$UNIQUE_STANZA_NAME must match the stanza name of the transform you just created in transforms.conf.

Note: Optionally add any other valid attribute/value pairs from props.conf when defining your stanza. This assigns the attributes to the you have set. For example, if you have custom line-breaking rules to set for the same , append those attributes to your stanza.

Follow this link for some great examples:

http://www.splunk.com/base/Documentation/4.1.5/admin/Setthevalueofhostbasedoneventdata

castle1126
Communicator

To test with I added the PROPS and TRANSFORMS to my Forwarder (not running light forwarder) and the host field did change correctly. Thanks for this information it was very helpful!

0 Karma

castle1126
Communicator

So you would not add these settings to PROPS and TRANSFORMS on the system running Splunk Forwarder?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...