Solved: Remove or disable the additional syslog header whe...

giulia_casaldi · ‎08-23-2024

Hi,

I am currently dealing with some logs being forwarded via syslog to a third party system. The question is if there is an option to prevent splunk from adding an additional header to each message before it is forwarded. So there should be a way to disable the additional syslog header when using forwarding, so that the third party system receives the original message by removing the header.

Any ideas, can you give me a practical example?
I am trying to test by modifying the outputs.conf.

thanks,

Giulia

giulia_casaldi · ‎09-03-2024

Hello everyone,
i found the solution with my team:
In addition to changing the output.conf by inserting the appropriate sourcetype.
the moment the header is still not removed we followed this procedure:
by going to change the following template definition of the rsyslog file on all UFs, removing %TIMESTAMP% %HOSTNAME% (the one that appears in the header) within the configuration.

bye,

G.

View solution in original post

giulia_casaldi · ‎09-03-2024

Hello everyone,
i found the solution with my team:
In addition to changing the output.conf by inserting the appropriate sourcetype.
the moment the header is still not removed we followed this procedure:
by going to change the following template definition of the rsyslog file on all UFs, removing %TIMESTAMP% %HOSTNAME% (the one that appears in the header) within the configuration.

bye,

G.

giulia_casaldi · ‎08-23-2024

hello , this is the current example of the outputs.conf, but still the header is not gone:

[tcpout-server://xxxx..xxx:9997][tcpout-server://yyy.yyy.yyy:9997]

[tcpout-server://zz.zzz.zzz:9997]





[tcpout:default-autolb-group]
server = xx.xxx.xxx:9997,yyy.yyy.yyy:9997,zz.zzz.zzz:9997
disabled = false



[syslog]
#defaultGroup = syslogGroup2



[syslog:syslogGroup1]
server = aa.aaa.aa.a.:514
type = udp
syslogSourceType = fortigate



[syslog:syslogGroup2]
server = bb.bbb.bbb:517
type = udp
syslogSourceType = fortigate

can you give me an example of how i could fix it?

Thank you very much

Giulia

PaulPanther · ‎08-23-2024

Please check the syslogSourceType and reconfigure it

syslogSourceType = <string>
* Specifies an additional rule for handling data, in addition to that
  provided by the 'syslog' source type.
* This string is used as a substring match against the sourcetype key. For
  example, if the string is set to "syslog", then all sourcetypes
  containing the string 'syslog' receive this special treatment.
* To match a sourcetype explicitly, use the pattern
  "sourcetype::sourcetype_name".
    * Example: syslogSourceType = sourcetype::apache_common
* Data that is "syslog" or matches this setting is assumed to already be in
  syslog format.
* Data that does not match the rules has a header, optionally a timestamp
  (if defined in 'timestampformat'), and a hostname added to the front of
  the event. This is how Splunk software causes arbitrary log data to match syslog expectations.
* No default.

outputs.conf - Splunk Documentation

giulia_casaldi · ‎08-23-2024

identifying the correct sourcetype removed only one part of the header, still however it does not remove the priority and the other part of the header...
I had already tried that.
I thank you, do you have any other solutions?
Thank you,

Giulia

PaulPanther · ‎08-23-2024

Please feel free to share your current outsputs.conf.

If you use the [syslog] stanza to forward the data to your third-party system no additional header should be added by splunk.

Forward data to third-party systems - Splunk Documentation

Remove or disable the additional syslog header when using forwarding

Analytics Workspace

configuration

development

other

splunk-assist

troubleshooting

using Splunk Enterprise

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?