Getting Data In

Why is Host "localhost" when inputs.conf set-up to use custom name?

tbertran
New Member

Hi all,

I'm using a straight forward splunk install (no forwarder, no external input source) on my server. Below is an extract from my inputs.conf:

[monitor:///private/var/log]

disabled = false

followTail = 1

host = MyHostName

ignoreOlderThan = 30d

blacklist = (.bz2$|krb5kdc|appfirewall.log)

index = logs

crcSalt = <SOURCE>

Most of the events from this file show up correctly under the MyHostName host but a small portion shows up under localhost like this one:

May 1 14:34:34 localhost configd[14]: network configuration changed.

This is presumably happening because the word localhost appears in the event but I don't care what word appears in the event, I don't want the host name to be anything other than what I set in inputs.conf.

I'm hoping it can be solved without resorting to the transforms.conf, which feels like overkill for this simple issue.

Thanks for the help.

Tags (2)
0 Karma

southeringtonp
Motivator

If most of your events are showing the correct host=MyHostName, then it sounds like you're already using transforms.conf to override a subset of the events. Splunk does this out-of-the-box for [syslog] and a few other sourcetypes, but you can disable it.

Check the sourcetypes of the incorrect events - they're probably all showing up as syslog or similar.

Try adding the following in props.conf:

[source::/private/var/log/*]
TRANSFORMS=
TRANSFORMS-host=

You may only need one of the two TRANSFORMS= lines above - most of the default host override use TRANSFORMS, but if you're running postfix, you'll also need to reset TRANSFORMS-host.

Edit:

There are two possible reasons why some events would show localhost and some MyHostName...

  1. Your raw syslog data contains localhost for some events, and MyHostName for others. Splunk is extracting the value it sees.

  2. Transform-based host assignment uses a regular expression to pull out the new value of hostname. If the regex doesn't match, it will fall back to using the value you set in the .conf files.

For more information on how overriding of the hostname works, take a look at:

    
http://www.splunk.com/base/Documentation/4.2/Data/overridedefaulthostassignments.

To see the default transforms used for syslog events, look in the following two files:

    $SPLUNK_HOME/etc/system/default/transforms.conf

    $SPLUNK_HOME/etc/system/default/props.conf

southeringtonp
Motivator

See edits above. It doesn't matter that you didn't set up a transform -- there's one in effect by default. The above instructions will turn it off. Field extraction based on the transform will take precedence over the value you set in inputs.conf. As for the ones that look right, either the transform isn't matching those events, or it's acutally overriding it, but with the same value.

0 Karma

tbertran
New Member

Hi, thanks for your help. I'm only talking about the one file /private/var/log whose sourcetype is syslog. To clarify, most events for that one source will show a host name of MyHostName (because of my hardcoding the host in inputs.conf) and some events will show localhost as a hostname. I don't see why those events do not have a hostname of MyHostName.

0 Karma

southeringtonp
Motivator

To clarify - please edit your question and say what the sourcetypes are for your incorrect data. Splunk has default transforms.conf entries for syslog events that will be in effect unless you have explicitly turned them off (see $SPLUNK_HOME/etc/system/default/transforms.conf)

0 Karma

tbertran
New Member

Thanks for your response. No, I'm not using transforms.conf, the host name is set in inputs.conf as shown in my original post and it mostly works but I can't explain why it doesn't always work.

0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...