Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why are we seeing duplicate headers? (host and timestamp)

jppham
New Member
‎01-29-2016 04:13 PM

Splunk adds one header, then one more when forwarding to external logger.

SPLUNK entry
Jan 29 14:09:01 host.localdomain: 2016 Jan 29 14:08:57 EST: %DAEMON-3-SYSTEM_MSG: error: setsockopt IP_TOS 16: Invalid argument: - sshd[6771]

External logger
Jan 29 14:09:01 host.localdomain Jan 29 14:09:01 host.localdomain : 2016 Jan 29 14:08:57 EST: %DAEMON-3-SYSTEM_MSG: error: setsockopt IP_TOS 16: Invalid argument: - sshd[6771]

RAW –tcpdump
Jan 29 17:00:01 host.localdomain Jan 29 17:00:01 host.localdomain : 2016 Jan 29 16:59:56 EST: %DAEMON-3-SYSTEM_MSG: error: setsockopt IP_TOS 16: Invalid argument: - sshd[12046]

0 Karma
Reply

Jeremiah
Motivator
‎02-01-2016 01:10 PM

So, you may need to set:

syslogSourceType = <string>

In your outputs.conf syslog stanza. The string value should match the sourcetype of your Cisco data, so that Splunk knows this is syslog data and doesn't need to add a timestamp/hostname to the beginning of the log entry.

From http://docs.splunk.com/Documentation/Splunk/6.3.2/admin/Outputsconf:

"Data which does not match the rules has a header, optionally a timestamp (if defined in 'timestampformat'), and a hostname added to the front of the event. This is how Splunk causes arbitrary log data to match syslog expectations."

There is a Splunk wiki article that might help explain what is happening when your data is being processed and passed on to a syslog destination:

https://wiki.splunk.com/Community:Test:How_Splunk_behaves_when_receiving_or_forwarding_udp_data

It sounds like you are passing data directly to splunk via syslog. I prefer to have a syslog server (syslog-ng or rsyslog) setup to receive my syslog data and write to a file. Then I use a Splunk forwarder to read the files and forward them to my indexer. This also gives you the advantage of routing data directly via syslog-ng if you need to. There's a discussion of the pros/cons here:

https://answers.splunk.com/answers/103295/pros-cons-of-using-syslog-ng-or-other-syslog-file-receiver...

0 Karma
Reply

Jeremiah
Motivator
‎01-30-2016 08:48 AM

Can you give us some information, ie, what is the configuration you are using to forward your data, and what kind of system is receiving it?

0 Karma
Reply

jppham
New Member
‎02-01-2016 10:32 AM

Hi Jeremiah, this log is from a Cisco switch sending syslog to SPLUNK.
We are also seeing multiple headers in logs from other systems as well coming in on source udp:514.
It appears as though SPLUNK is attaching another header before it goes out .

I have also attached all of the outputs stanzas at the end.

Below log is what's sent to external logger from another host. there are multiple headers again.

external logger
Jan 29 16:52:32 esx.mydomain Jan 29 16:52:32 esx.mydomain 2016-01-29T21:52:32.963Z ESX.MYDOMAINVpxa: [FF96FB90 verbose 'hostdstats']

SPLUNK
Jan 29 16:52:32 esx.mydomain 2016-01-29T21:52:32.978Z ESX.MYDOMAIN Vpxa: [FF96FB90 verbose 'hostdstats'] Set internal stats for VM

OUTPUTS:

[tcpout]
maxQueueSize = 500KB
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = _audit
forwardedindex.filter.disable = false
indexAndForward = false
autoLBFrequency = 30
blockOnCloning = true
compressed = false
disabled = false
dropClonedEventsOnQueueFull = 5
dropEventsOnQueueFull = -1
heartbeatFrequency = 30
maxFailuresPerInterval = 2
secsInFailureInterval = 1
maxConnectionsPerIndexer = 2
forceTimebasedAutoLB = false
sendCookedData = true
connectionTimeout = 20 
readTimeout = 300
writeTimeout = 300 
useACK = false
#defaultGroup=nowhere

[syslog]
defaultGroup = 

[syslog:Everything]
disabled = true
timestampformat = %b %e %H:%M:%S
server = x.x.x.x:514

[syslog:ext_logger]
disabled = false
timestampformat = %b %e %H:%M:%S
server = x.x.x.x:514
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...