All Apps and Add-ons

rfc5424_syslog

0acid0
New Member

Hi,

i'd install the "Security Intelligence for Vormetric Data Firewall (TM)" app to our running splunk system and I want to use the predefined tcp://5524 source.

inputs.conf

[tcp://5514]
disabled = false
index = myindex
connection_host = dns
sourcetype = rfc5424_syslog

If i now try to search the sourcetype "rfc5424_syslog" i have no results.
The search about the "source=tcp:5541" shows for the vormetric data the sourcetype "syslog".

Overwrites splunk the sourcetype? Why is it syslog not rfc5424_syslog? In the inputs.conf the sourcetype is correct. Because this issue the Vormetric app doesn't work.

I hope anybody have an idea. Thanks in advance.

Regards Arne

0 Karma

steveta_uk
Explorer

The Vormetric app includes the definitions for rfc5424_syslog so no other apps are required.

There is a test for valid rfc5424 format in the default/transforms.conf installed with the app, which looks like this:



[test_for_syslog]
REGEX = ^<\d+>[^1]
FORMAT = sourcetype::syslog
DEST_KEY = MetaData:Sourcetype


What this does is validate the syslog header against the definition, which you can see here:

http://tools.ietf.org/html/rfc5424

If the header doesn't match, this rule changes the format back to plain syslog, which may be what you are seeing.

How did you genenerate the RFC5424 format? Have you selected it in the server or agent log setup?

0 Karma

dmillis
Splunk Employee
Splunk Employee

What other apps have you installed? For example, have you installed the 'rfc5424' app? I suspect that other inputs and/or props entries are conflicting with what you created. You can use btool (http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Usebtooltotroubleshootconfigurati...) to determine where the various properties are coming from, using something like this:

splunk cmd btool props list --debug | more

(and then look for the stanzas containing 5541, and the associated properties). The Splunk on Splunk (SoS) app has a prettier UI for investigating these sorts of configuration issues.

0 Karma

kaufmanm
Communicator

Try changing the sourcetype in props.conf:

e.g. This stanza:

source::tcp:5541
sourcetype = rfc5424_syslog

http://answers.splunk.com/answers/39176/change-the-syslog-sourcetype

0 Karma

0acid0
New Member

ty for help but it doesn't work

i'd try

[source::tcp:5541]
sourcetype = rfc5424_syslog

and

[source::host:xx.xxx.xx.xxx}
sourcetype = rfc5424_syslog

as well... but no change happend... 😕

which props.conf should i use... the app props.conf or system/local/props.conf ?

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...