Getting Data In

Why am I getting the same inputs.conf file but different hostname for syslog files?

Path Finder

Hi

i got a simple inputs.conf file which look like this:

[default]
host = test-01.blabla.local

[monitor:///opt/whatever/shared/log/staging.log]
disabled = false
sourcetype = ruby_on_rails

[monitor:///var/log]
disabled = false
sourcetype = syslog

My issue is, for the ruby_on_rails, i got the correct hostname, but for syslog, i got test-01

i checked server.conf, both default, and local and there is the correct hostname there.

Any suggestion?

Thanks

0 Karma

Ultra Champion

When using the syslog sourcetype, you get hostname override extraction for free. There is a TRANSFORMS=syslog-host statement in etc/system/default/props.conf that triggers Splunk to read the hostname from the syslog header, overwriting what was set through your inputs.conf.

One way to deal with that is to make sure your logs contain the desired hostname. Another way is to overrule that default props.conf setting, by creating your own props.conf and adding:

[syslog]
TRANSFORMS=

Note: this applies to all your uses of the syslog sourcetype, so if for other data feeds that use syslog sourcetype you do want to keep this behavior, you need to enable it again for those specific data sources (e.g. with a source based stanza in props.conf for that feed).

0 Karma

Path Finder

this worked thanks!

0 Karma

Ultra Champion

Glad to hear that. Please mark the answer as accepted, so it is clear for others that this question is answered 🙂

0 Karma

Path Finder

i got rsyslog

`
#  /etc/rsyslog.conf    Configuration file for rsyslog.
#
#           For more information see
#           /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
module(load="imklog")   # provides kernel logging support
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")


###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf


###############
#### RULES ####
###############

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*         /var/log/auth.log
*.*;auth,authpriv.none      -/var/log/syslog
#cron.*             /var/log/cron.log
daemon.*            -/var/log/daemon.log
kern.*              -/var/log/kern.log
lpr.*               -/var/log/lpr.log
mail.*              -/var/log/mail.log
user.*              -/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info           -/var/log/mail.info
mail.warn           -/var/log/mail.warn
mail.err            /var/log/mail.err

#
# Some "catch-all" log files.
#
*.=debug;\
    auth,authpriv.none;\
    news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
    auth,authpriv.none;\
    cron,daemon.none;\
    mail,news.none      -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg             :omusrmsg:*
0 Karma

Champion

Can you share syslog.conf ? Or please share sample logs.

0 Karma

Path Finder

i just checked messages and there is test-01 as hostname there, it's not a splunk config issue it's the system

i sent my rsyslog.conf but the comment needs to be approved

0 Karma