syslog parsing...

a212830 · ‎02-01-2013

Hi,

I need to process a syslog feed, but only keep certain hosts, and throw the rest away.

I first setup the feed to process syslog and set the host to the incoming device, and everything looks ok.

However, once I add the piece to parse the syslog, the naming of the host reverts back to the name of the server where the forwarder is running (running a heavy forwarder). I'm not sure why that is happening. Here are my props.conf and transforms.conf:

props.conf:
[euc_syslogdata]
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
TIME_FORMAT = %b %d %H:%M:%S
NO_BINARY_CHECK = 1
TRANSFORMs = syslog-host,setnull,setparsing

transforms.conf:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = [vc-]
DEST_KEY = queue
FORMAT = indexQueue

[syslog-host]
DEST_KEY = MetaData:Host
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?).\w+\s+)*[?(\w[\w.-]{2,})]?\s
FORMAT = host::$1

yannK · ‎02-01-2013

I see a typo :

TRANSFORMs = syslog-host,setnull,setparsing

should be

TRANSFORMS = syslog-host,setnull,setparsing

syslog parsing...

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Developer Spotlight with Mika Borner

Join the Conversation

syslog parsing...

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Developer Spotlight with Mika Borner