Getting Data In

Syslog Server to Splunk showing incorrect host - During Splunk test before implementation

j666gak
Communicator

Currently at the company I work for we are runing a trial on Splunk for a couple of months to check that it meets our requirements.

Currently all events are being forwarded on to the Splunk server directly for the syslog server, meaning that the syslog server is seen as the host on every occasion is there anyway this can be changed to the end host name?

In an example entry below the second IP in bold is the host that should be listed as the host within Splunk instead of the Syslog server. Is there anyway to change this? I would only be for the duration of the test, and I understand the syslog should be going directly to Splunk but hope there is a way to resolve this in the meantime.

Mar 19 13:57:37 172.X.X.X Mar 19 13:57:39 172.X.X.X auditd: date="2012-03-19 13:57:39 +0000",fac=f_kernel_ipfilter,area=a_general_area,type=t_nettraffic,pri=p_major,hostname=server.domain.com,event="session end",application=ALL-TCP-UDP,netsessid=e0e4a4f673b53,srcip=172.X.X.X,srcport=0000,srczone=rDMZ_VLAN401,protocol=6,dstip=192.168.1.1,dstport=0000,dstzone=DMZ_VLAN,bytes_written_to_client=0,bytes_written_to_server=0,rule_name="WAN Sites to XXXXX",cache_hit=0,start_time="2012-03-19 13:57:39 +0000"

host=SYSLOG SERVER   Options|  
sourcetype=syslog   Options|  
source=udp:514   Options

Appreciate any help
Thanks

Tags (1)
0 Karma
1 Solution

Ayn
Legend

Sure.

For the syslog sourcetype, Splunk already does something similar to this. Just that you seem to have another layer of syslog host forwarding going on. 🙂
By default, logs with sourcetype syslog get the transform syslog-host applied to them. This is what it looks like (it's available in $SPLUNK_HOME/etc/system/default/transforms.conf😞

[syslog-host]
DEST_KEY = MetaData:Host
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s
FORMAT = host::$1

If you want this transform to work differently, just redefine it (for instance in $SPLUNK_HOME/etc/system/local/transforms.conf). This transform should work in your case (I can't guarantee it's totally bulletproof though):

[syslog-host]
DEST_KEY = MetaData:Host
REGEX = ^(?:\S+\s+){7}(\S+)
FORMAT = host::$1

View solution in original post

mikelanghorst
Motivator

There's a default transform available to strip the syslog header (date and host) from a syslog event: [syslog-header-stripper-ts-host]. Thought I was using this already for an exact example, but this should work. Assuming your syslog file is /my/folder/messages:

In a props.conf entry:
[source::/my/folder/messages]
TRANSFORMS-my_syslog=syslog-header-stripper-ts-host

0 Karma

Ayn
Legend

Sure.

For the syslog sourcetype, Splunk already does something similar to this. Just that you seem to have another layer of syslog host forwarding going on. 🙂
By default, logs with sourcetype syslog get the transform syslog-host applied to them. This is what it looks like (it's available in $SPLUNK_HOME/etc/system/default/transforms.conf😞

[syslog-host]
DEST_KEY = MetaData:Host
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s
FORMAT = host::$1

If you want this transform to work differently, just redefine it (for instance in $SPLUNK_HOME/etc/system/local/transforms.conf). This transform should work in your case (I can't guarantee it's totally bulletproof though):

[syslog-host]
DEST_KEY = MetaData:Host
REGEX = ^(?:\S+\s+){7}(\S+)
FORMAT = host::$1

bambarit
Explorer

sure, it will replace "host" field base on regex, and how to keep hostname of forwarder to new field?

0 Karma

j666gak
Communicator

That worked great, thanks for the help Ayn

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...