Getting Data In

Syslog Priority Levels Stripped for UDP and TCP Syslog Messages

scornish
Engager

All, I noticed discussions on how to prevent Splunk from stripping priority levels from UDP Syslog messages.

Will priority stripping occur if Splunk receives messages via TCP port 514?

If so, how would you configure Splunk to not strip the priority?

Stephanie

Tags (1)

Simeon
Splunk Employee
Splunk Employee

Priority stripping is optionally set for UDP inputs. It should not occur if you have configured a TCP input over port 514. For more information regarding the configuration, review the UDP settings for inputs.conf at following link:

http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf

no_priority_stripping = true
* If this attribute is set to true, then Splunk does NOT strip the <priority> syslog field from received events. 
* NOTE: Do NOT include this key if you want to strip <priority>.
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...