Hi,
I have a central syslog server, collecting auth.* messages from many Linux hosts in the /var/log/secure file. Then they are forwarded to Splunk by a Universal Forwarder.
The problem is that Splunk sees all these messages with host = "syslog server".
What's the simplest method to use the real originating host, that is always present after date/time:
Jun 23 17:52:36 host01 sshd[12447]: pam_unix(sshd:session): session opened for user jsmith b
y (uid=0)
if you use the "syslog" sourcetype, then the host should be extracted from the events.
To understand the mechanism, look at the $SPLUNK_HOME/etc/default/props.conf [syslog]
and $SPLUNK_HOME/etc/default/transforms.conf [syslog-host]
DEST_KEY = MetaData:Host
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s
FORMAT = host::$1
I tried on a test Splunk server, loading directly the file /var/log/secure of the syslog central server and it works 😉
Now how can I correct the behaviour on the production Splunk server, receiving forwarded events?
Inputs are in inputs.conf (in $PSLUNK_HOME/etc/apps/
Try to change the sourcetype to syslog to get the extraction.
OK, in fact they are now actually indexed using "linux_secure" sourcetype.
Where are defined input data for forwarded events (I'm a newbie)?