Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why are events coming in over source:tcp-ssl not assigned a hostname?

baloo
Engager
‎11-12-2015 07:15 AM

Dear Splunkers

Recently we reconfigured our remote syslog clients to deliver their logs over source:tcp-ssl instead of source:tcp.

Since then the events are not assigned the configured hostname anymore.
Instead, the host field contains the source ip address of the originating client.

inputs.conf @ indexer:

$ /splunk/bin/splunk btool inputs list tcp-ssl://10.11.12.13:1514 --debug

/data/splunk/etc/apps/IA-xml/local/inputs.conf  [tcp-ssl://10.11.12.13:1514]
/data/splunk/etc/system/default/inputs.conf     _rcvbuf = 1572864
/data/splunk/etc/apps/IA-xml/local/inputs.conf  host = hostname-xy
/data/splunk/etc/apps/IA-xml/local/inputs.conf  index = xml-p
/data/splunk/etc/apps/IA-xml/local/inputs.conf  sourcetype = xml

The fields 'index' and 'sourcetype' are assigned correctly. Only the field 'host' does not seem to catch.

It would be quite ugly to override the host field at index time with transforms.

Any ideas or experiences with this issue?

Thanks a lot & best regards

Stephan

Tags (5)
Reply

Richfez
SplunkTrust
SplunkTrust
‎11-14-2015 08:09 PM

I'd recommend not using Splunk to listen directly for syslog, but instead have a syslog server (syslog-ng or rsyslog) listen for syslog and write that to files. Splunk then picks up the files and reads them.

This has a LOT of advantages. It is considered best practice. It makes restarting Splunk not interrupt your syslog inputs for that minute or two. It makes troubleshooting easier by separating the two functions. It makes the various configurations involved simpler. It also increases throughput.

And most importantly, I would be VERY surprised if you continued to have this problem after you convert to syslong-ng and Splunk reading those files.

For what it's worth, you can run the syslog server right on that same box.

See this excellent blog for more information.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...