Getting Data In

Syslog Priority Levels Stripped for UDP and TCP Syslog Messages

scornish
Engager

All, I noticed discussions on how to prevent Splunk from stripping priority levels from UDP Syslog messages.

Will priority stripping occur if Splunk receives messages via TCP port 514?

If so, how would you configure Splunk to not strip the priority?

Stephanie

Tags (1)

Simeon
Splunk Employee
Splunk Employee

Priority stripping is optionally set for UDP inputs. It should not occur if you have configured a TCP input over port 514. For more information regarding the configuration, review the UDP settings for inputs.conf at following link:

http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf

no_priority_stripping = true
* If this attribute is set to true, then Splunk does NOT strip the <priority> syslog field from received events. 
* NOTE: Do NOT include this key if you want to strip <priority>.
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...