In order to receive RFC3164-compliant syslog output from Splunk (and namely, to include a time stamp in the sent event), you need to make sure to adequately set the timestampformat configuration key in the [syslog: ] stanza in outputs.conf, as per outputs.conf.spec:
timestampformat = <format>
* If specified, the formatted timestamps are added to the start of events forwarded to syslog.
* As above, this logic is only applied when the data is not syslog, or the syslogSourceType.
* The format is a strftime-style timestamp formatting string. This is the same implementation used in the 'eval' search command, splunk logging, and other places in splunkd.
* For example: %b %e %H:%M:%S
* %b - Abbreviated month name (Jan, Feb, ...)
* %e - Day of month
* %H - Hour
* %M - Minute
* %s - Second
* For a more exhaustive list of the formatting specifiers, refer to the online documentation.
* Note that the string is not quoted.
* Defaults to unset, which means that no timestamp will be inserted into the front of events.
Test configuration (tested with Splunk 4.3 only😞
outputs.conf:
[syslog:syslog_out]
server = syslog.splunk.com:514
type = tcp
timestampformat = %b %e %H:%M:%S
props.conf:
[syslog_test]
TRANSFORMS-routing = syslog_routing
transforms.conf:
[syslog_routing]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslog_out
With this configuration, all events with sourcetype "syslog_test" will be routed to syslog host "syslog.splunk.com" on port TCP/514. The default priority code of "13" will be used, which is equivalent to "user.info", and a time stamp will be added as a prefix.
Example:
On the server hosting the Splunk instance:
[root@beefysup01 43]# cat ../sources/test.log
This is a sample syslog event
[root@beefysup01 43]# $SPLUNK_HOME/bin/splunk add oneshot ../sources/test.log -sourcetype syslog_test
Oneshot '/home/octavio/sources/test.log' added
On the server recipient of the syslog forwarded messages, using netcat to receive the events:
[root@syslog.splunk.com:/]# nc -kl 514
<13>Jan 25 19:52:07 beefysup01 This is a sample syslog event
Note: I was unable to make this configuration work in versions earlier to Splunk 4.3. There are reports that this specific feature can fail in certain scenarios in 4.2.x. If you need this feature to work, please upgrade to Splunk 4.3.
... View more