Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are events coming in over source:tcp-ssl not assigned a hostname?

baloo
Engager
‎11-12-2015 07:15 AM

Dear Splunkers

Recently we reconfigured our remote syslog clients to deliver their logs over source:tcp-ssl instead of source:tcp.

Since then the events are not assigned the configured hostname anymore.
Instead, the host field contains the source ip address of the originating client.

inputs.conf @ indexer:

$ /splunk/bin/splunk btool inputs list tcp-ssl://10.11.12.13:1514 --debug

/data/splunk/etc/apps/IA-xml/local/inputs.conf  [tcp-ssl://10.11.12.13:1514]
/data/splunk/etc/system/default/inputs.conf     _rcvbuf = 1572864
/data/splunk/etc/apps/IA-xml/local/inputs.conf  host = hostname-xy
/data/splunk/etc/apps/IA-xml/local/inputs.conf  index = xml-p
/data/splunk/etc/apps/IA-xml/local/inputs.conf  sourcetype = xml

The fields 'index' and 'sourcetype' are assigned correctly. Only the field 'host' does not seem to catch.

It would be quite ugly to override the host field at index time with transforms.

Any ideas or experiences with this issue?

Thanks a lot & best regards

Stephan

Tags (5)
Reply

Richfez
SplunkTrust
SplunkTrust
‎11-14-2015 08:09 PM

I'd recommend not using Splunk to listen directly for syslog, but instead have a syslog server (syslog-ng or rsyslog) listen for syslog and write that to files. Splunk then picks up the files and reads them.

This has a LOT of advantages. It is considered best practice. It makes restarting Splunk not interrupt your syslog inputs for that minute or two. It makes troubleshooting easier by separating the two functions. It makes the various configurations involved simpler. It also increases throughput.

And most importantly, I would be VERY surprised if you continued to have this problem after you convert to syslong-ng and Splunk reading those files.

For what it's worth, you can run the syslog server right on that same box.

See this excellent blog for more information.

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...