Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Syslog Header In Output To A Syslog Server

GpMidi
Explorer
‎01-28-2010 10:31 PM

So in some unknown, previous version of Splunk we were able to forward syslog to an Rsyslog machine. The syslog messages began with the date/time and source host/IP of the message. This data was in the standard sysklogd format. It allowed us to write it out straight to a file and have it look like Rsyslog was the one receiving the messages. Current versions do not seem to include this header. Is there any way to restore this behavior? Our goal is to, at a minimum, get any syslog data that is received by Splunk to be forwarded to our instance of Rsyslog with the original host that sent the data included in the log line.
I'm currently running version 4.0.8. I believe that the previous version was "current" around 2009-08-20.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎04-20-2010 06:55 PM

If you were sending syslog data to rsyslog without splunk declaring itself in a header like a normal syslogd forward mechanism, you were basically "getting lucky" by having splunk pass along whatever syslog data it receieved over tcp and having that look "syslog enough" to rsyslog.

That is, in the past there was no specific support for emitting syslog data over udp or tcp. If you can still arrange to have only syslog-formatted events forwarded, and over TCP, I would expect it to work to the same degree that it it did before. If non-syslog-formatted data is involved then you have to take care not to forward that data, since it won't look anything like syslog to rsyslog.

View solution in original post

Reply
Solved! Jump to solution

mcronkrite
Splunk Employee
Splunk Employee
‎04-02-2015 06:02 AM

Syslog servers when they operate in a tiered deployment, e.g. syslog to syslog server. This type of header nesting also occurs as per the RFC 3164. Splunk is acting the same way as a Syslog server would.

http://wiki.splunk.com/Community:Test:How_Splunk_behaves_when_receiving_or_forwarding_udp_data

0 Karma
Reply
Solved! Jump to solution

calyope7
New Member
‎04-12-2011 09:49 PM

Hello Dan,

Did you resolve this issue? I am experiencing it as well.

Thanks, Chris

0 Karma
Reply
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎04-20-2010 06:55 PM

If you were sending syslog data to rsyslog without splunk declaring itself in a header like a normal syslogd forward mechanism, you were basically "getting lucky" by having splunk pass along whatever syslog data it receieved over tcp and having that look "syslog enough" to rsyslog.

That is, in the past there was no specific support for emitting syslog data over udp or tcp. If you can still arrange to have only syslog-formatted events forwarded, and over TCP, I would expect it to work to the same degree that it it did before. If non-syslog-formatted data is involved then you have to take care not to forward that data, since it won't look anything like syslog to rsyslog.

Reply
Solved! Jump to solution

Jag
Splunk Employee
Splunk Employee
‎01-29-2010 05:54 PM

You can define following in outputs.conf to forward data in syslog format.

[syslog]
defaultGroup=myGroup

[syslog:myGroup]
server = syslogserver.mycompany.com:514

This will send events out in syslog format via UDP to port 514 on syslogserver.mycompany.com. You can set 'type=tcp' in [syslog:mygGroup] stanza to send data out via TCP. You can add priority header if missing in the source by setting 'priority' field. The value set in priority field will be emitted in the syslog header.

Reply
Solved! Jump to solution

Dan
Splunk Employee
Splunk Employee
‎06-23-2010 01:51 PM

I'm going to file an issue with Support about this...

0 Karma
Reply
Solved! Jump to solution

dskillman
Splunk Employee
Splunk Employee
‎04-17-2010 06:08 AM

Forwarding works fine. The real question is "Is there a way to maintain the source IP of the UDP syslog packet when forwarding to a 3rd party syslog listener?"

0 Karma
Reply
Solved! Jump to solution

GpMidi
Explorer
‎01-29-2010 06:06 PM

I already have it setup to forward to a remote syslog server. The problem is getting it to include the origin IP in the message.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...