Solved: Syslog Server to Splunk showing incorrect host - D...

j666gak · ‎03-19-2012

Currently at the company I work for we are runing a trial on Splunk for a couple of months to check that it meets our requirements.

Currently all events are being forwarded on to the Splunk server directly for the syslog server, meaning that the syslog server is seen as the host on every occasion is there anyway this can be changed to the end host name?

In an example entry below the second IP in bold is the host that should be listed as the host within Splunk instead of the Syslog server. Is there anyway to change this? I would only be for the duration of the test, and I understand the syslog should be going directly to Splunk but hope there is a way to resolve this in the meantime.

Mar 19 13:57:37 172.X.X.X Mar 19 13:57:39 172.X.X.X auditd: date="2012-03-19 13:57:39 +0000",fac=f_kernel_ipfilter,area=a_general_area,type=t_nettraffic,pri=p_major,hostname=server.domain.com,event="session end",application=ALL-TCP-UDP,netsessid=e0e4a4f673b53,srcip=172.X.X.X,srcport=0000,srczone=rDMZ_VLAN401,protocol=6,dstip=192.168.1.1,dstport=0000,dstzone=DMZ_VLAN,bytes_written_to_client=0,bytes_written_to_server=0,rule_name="WAN Sites to XXXXX",cache_hit=0,start_time="2012-03-19 13:57:39 +0000"

host=SYSLOG SERVER   Options|  
sourcetype=syslog   Options|  
source=udp:514   Options

Appreciate any help
Thanks

Ayn · ‎03-19-2012

Sure.

For the syslog sourcetype, Splunk already does something similar to this. Just that you seem to have another layer of syslog host forwarding going on. 🙂
By default, logs with sourcetype syslog get the transform syslog-host applied to them. This is what it looks like (it's available in $SPLUNK_HOME/etc/system/default/transforms.conf😞

[syslog-host]
DEST_KEY = MetaData:Host
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s
FORMAT = host::$1

If you want this transform to work differently, just redefine it (for instance in $SPLUNK_HOME/etc/system/local/transforms.conf). This transform should work in your case (I can't guarantee it's totally bulletproof though):

[syslog-host]
DEST_KEY = MetaData:Host
REGEX = ^(?:\S+\s+){7}(\S+)
FORMAT = host::$1

View solution in original post

mikelanghorst · ‎03-19-2012

There's a default transform available to strip the syslog header (date and host) from a syslog event: [syslog-header-stripper-ts-host]. Thought I was using this already for an exact example, but this should work. Assuming your syslog file is /my/folder/messages:

In a props.conf entry:
[source::/my/folder/messages]
TRANSFORMS-my_syslog=syslog-header-stripper-ts-host

Ayn · ‎03-19-2012

Sure.

For the syslog sourcetype, Splunk already does something similar to this. Just that you seem to have another layer of syslog host forwarding going on. 🙂
By default, logs with sourcetype syslog get the transform syslog-host applied to them. This is what it looks like (it's available in $SPLUNK_HOME/etc/system/default/transforms.conf😞

[syslog-host]
DEST_KEY = MetaData:Host
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s
FORMAT = host::$1

If you want this transform to work differently, just redefine it (for instance in $SPLUNK_HOME/etc/system/local/transforms.conf). This transform should work in your case (I can't guarantee it's totally bulletproof though):

[syslog-host]
DEST_KEY = MetaData:Host
REGEX = ^(?:\S+\s+){7}(\S+)
FORMAT = host::$1

bambarit · ‎11-17-2020

sure, it will replace "host" field base on regex, and how to keep hostname of forwarder to new field?

j666gak · ‎03-22-2012

That worked great, thanks for the help Ayn

Syslog Server to Splunk showing incorrect host - During Splunk test before implementation

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life