Getting Data In

invalid host extraction

New Member


My CAS server send this kind of even through syslog:

2014-07-04 10:00:01,527 INFO [] - Audit trail record BEGIN
WHO: audit:unknown
WHAT: ST-71914-GqsbHllVCbZDwi2gpdGe-cas3.domain.tld
WHEN: Fri Jul 04 10:00:01 CEST 2014
SERVER IP ADDRESS: cas.domain.tld

For an unknown reason, the line "WHEN: ..." is incorrectly assigned to host 'CEST'. The documentation about fixing invalid host field ( is focused about correcting data incorrectly imported, not about fixing an extraction error on the fly.

Given that's a syslog source type, is there way to force 'host' value as the one from the dedicated syslog element ?

Tags (2)
0 Karma


Your syslog extraction is following correct assumptions for the default syslog format. As a norm, syslog consists of single line records which are complete in themselves and generally take the form:

{date} {hostname/ip} {substance of syslog entry}

The auto-scan is "correctly" detecting the host name after a date entry for the default syslog type. You will need to override this source as a different sourcetype, and then tweak the extraction parameters.

0 Karma

New Member

Assuming than any date or host values found in {substance of syslog entry} section should override corresponding values found in dedicated sections is indeed consistent with "last occurence wins" behaviour, but isn't really meaningful here. Syslog format is often criticized for being under-structured, but this defeat even available structuration 🙂

Ok, I'll try to tweak the extraction parameters. Thanks for the advice.

0 Karma