Splunk Enterprise

Remove or disable the additional syslog header when using forwarding

giulia_casaldi
Explorer

Hi,

I am currently dealing with some logs being forwarded via syslog to a third party system. The question is if there is an option to prevent splunk from adding an additional header to each message before it is forwarded. So there should be a way to disable the additional syslog header when using forwarding, so that the third party system receives the original message by removing the header.

Any ideas, can you give me a practical example?
I am trying to test by modifying the outputs.conf. 

thanks,

Giulia

0 Karma
1 Solution

giulia_casaldi
Explorer

Hello everyone,
i found the solution with my team:
In addition to changing the output.conf by inserting the appropriate sourcetype.
the moment the header is still not removed we followed this procedure:
by going to change the following template definition of the rsyslog file on all UFs, removing %TIMESTAMP% %HOSTNAME% (the one that appears in the header) within the configuration.

bye,

G.

View solution in original post

0 Karma

giulia_casaldi
Explorer

Hello everyone,
i found the solution with my team:
In addition to changing the output.conf by inserting the appropriate sourcetype.
the moment the header is still not removed we followed this procedure:
by going to change the following template definition of the rsyslog file on all UFs, removing %TIMESTAMP% %HOSTNAME% (the one that appears in the header) within the configuration.

bye,

G.

0 Karma

giulia_casaldi
Explorer

hello  , this is the current example of the outputs.conf, but still the header is not gone:

[tcpout-server://xxxx..xxx:9997][tcpout-server://yyy.yyy.yyy:9997]

[tcpout-server://zz.zzz.zzz:9997]





[tcpout:default-autolb-group]
server = xx.xxx.xxx:9997,yyy.yyy.yyy:9997,zz.zzz.zzz:9997
disabled = false



[syslog]
#defaultGroup = syslogGroup2



[syslog:syslogGroup1]
server = aa.aaa.aa.a.:514
type = udp
syslogSourceType = fortigate



[syslog:syslogGroup2]
server = bb.bbb.bbb:517
type = udp
syslogSourceType = fortigate



can you give me an example of how i could fix it?

Thank you very much

Giulia

 

0 Karma

PaulPanther
Motivator

Please check the syslogSourceType and reconfigure it

syslogSourceType = <string>
* Specifies an additional rule for handling data, in addition to that
  provided by the 'syslog' source type.
* This string is used as a substring match against the sourcetype key. For
  example, if the string is set to "syslog", then all sourcetypes
  containing the string 'syslog' receive this special treatment.
* To match a sourcetype explicitly, use the pattern
  "sourcetype::sourcetype_name".
    * Example: syslogSourceType = sourcetype::apache_common
* Data that is "syslog" or matches this setting is assumed to already be in
  syslog format.
* Data that does not match the rules has a header, optionally a timestamp
  (if defined in 'timestampformat'), and a hostname added to the front of
  the event. This is how Splunk software causes arbitrary log data to match syslog expectations.
* No default.

outputs.conf - Splunk Documentation

 

giulia_casaldi
Explorer

identifying the correct sourcetype removed only one part of the header, still however it does not remove the priority and the other part of the header...
I had already tried that.
I thank you, do you have any other solutions?
Thank you,

Giulia 

0 Karma

PaulPanther
Motivator

Please feel free to share your current outsputs.conf.

If you use the [syslog] stanza to forward the data to your third-party system no additional header should be added by splunk.

Forward data to third-party systems - Splunk Documentation

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...