All Apps and Add-ons

Configuring Splunk syslog Server- Where to find the server?

DavidHourani
Super Champion

Hello Splunkers,

Anyone knows where to find the syslog server configuration for Splunk ?

I need to change the fields that are added by splunk when it receives the data. I am getting the timestamp+hostname added by the syslogd but instead i need to add timestamp+IP. I am currently using UDP syslog. I tried modifying the "host" and "connection_host" in the inputs.conf but nothing seems to change I keep getting the VIP name as hostname. The indexer is currently receiving on port 514 and it is a windows server.

Regards,
David

Labels (1)
1 Solution

DavidHourani
Super Champion

Hello Splunkers,

This took me a while to figure out and I couldn't find it documented beside in a comment on anwser https://answers.splunk.com/answers/153831/cannot-change-host-field-in-syslog-data.html (if anyone does find the doc for it please link it here)...
When the sourcetype syslogis used the host field value is extracted automatically from the data regardless of what is configured as host or connection_host in the input.conf. syslog sourcetype takes the value that is right after the date in the message and considers it the host.
The solution was simply to use a different sourcetype name for the udp input and then apply the connection_host=ip configuration

View solution in original post

0 Karma

DavidHourani
Super Champion

Hello Splunkers,

This took me a while to figure out and I couldn't find it documented beside in a comment on anwser https://answers.splunk.com/answers/153831/cannot-change-host-field-in-syslog-data.html (if anyone does find the doc for it please link it here)...
When the sourcetype syslogis used the host field value is extracted automatically from the data regardless of what is configured as host or connection_host in the input.conf. syslog sourcetype takes the value that is right after the date in the message and considers it the host.
The solution was simply to use a different sourcetype name for the udp input and then apply the connection_host=ip configuration

0 Karma

sshelly_splunk
Splunk Employee
Splunk Employee

I think this might solve your problem. In inputs.conf for this input, set
connection_host=ip
Are you sure the data coming in has ip address and not hostnames in the events ?

0 Karma

DavidHourani
Super Champion

Hello sshelly,
Thank you for your reply.
I am using UDP and connection_host is a TCP parameter. Also I tried changing the "host" field in the input and setting it to random values and it wasn't taken into consideration by splunk..

0 Karma

sshelly_splunk
Splunk Employee
Splunk Employee

David - I checked input.conf spec, and if you go down to look at UDP section, connection_host is there as well as an option. Can u possibly share your current inputs.conf ?

0 Karma

gjanders
SplunkTrust
SplunkTrust

As per sshelly's comment connection_host should fix your issue. If you want more flexibility you might consider something like syslogNG, I have provided an example here

0 Karma

DavidHourani
Super Champion

None of this is working..My questions is about syslog config file in splunk, like the "syslog.conf" file on linux.. I want to find the root configuration for the syslog that splunk is running. .

0 Karma

hardikJsheth
Motivator

There isn't any syslog.conf file in Splunk. I think Splunk starts a process which runs on specific port for tcp/udp connection.

In addition to what others have suggested, we have used props /transforms to selectively update index/source type depending on specific condition.

    Props.conf 
    [syslog]
    TRANSFORMS-feye = fytest


    transforms.conf
    [fytest]
    REGEX = 10\.35\.136\.91|10\.35\.136\.90|10\.39\.132\.68
    REGEX = 10.35.136.9[01]|10.35.136.89|10.39.132.6[89]|10.39.132.70
    DEST_KEY=_MetaData:Index
    FORMAT=abc

sshelly_splunk
Splunk Employee
Splunk Employee

I am sorry. I didn't think of the "default" syslog sourcetype (as garethatiag pointed out). I would copy/paste the syslog sourcetype (found in $SPLUNK_HOME/etc/system/default/props.conf, and paste into $SPLUNK_HOME/etc/system/local/props.conf the following. You may need to "play" with it a bit, but I think that should suffice.

[mynewsyslog]
pulldown_type = true
maxDist = 3
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32

remove following line

TRANSFORMS = syslog-host

insert following line

connection_host = ip
REPORT-syslog = syslog-extractions
SHOULD_LINEMERGE = False
category = Operating System
description = Mysyslog sourcetype to accomadate ip for host as opposed to hostname for host

DavidHourani
Super Champion

dude don't say you're sorry lol you rock, thank you very much for your help 😄

0 Karma

nagarjunay
Observer

template (name="trendmicro" type="string" string="/PROD/trendmicro/%fromhost-ip%/trendmicro.log")
template (name="asa" type="string" string="/PROD/asa/%fromhost-ip%/asa.log")

 


ruleset(name="remote-udp"){
if $fromhost-ip == '10.100.' then { action(type="omfile" dynafile="trendmicro") }
if $fromhost-ip == '10.0.4' then { action(type="omfile" dynafile="trendmicro") }
if $fromhost-ip == '10.135.' or $fromhost-ip == '10.0.' then { action(type="omfile" dynafile="asa") }
if $fromhost-ip=='10.19' or $fromhost-ip == '10.19' then { action(type="omfile" dynafile="fireeye") }

stop

}

 

# bind ruleset to tcp listener and activate it:
input(type="imudp" port="514" ruleset="remote-udp")

 

 

template (name="rsyslog-fmt" type="string"
string="%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
)


template (name="Checkpoint" type="string" string="/var/log/splunk/Checkpoint/%HOSTNAME%/checkpoint.log")

template (name="Checkpoint_sys" type="string" string="/var/log/splunk/Checkpoint_sys/%HOSTNAME%/checkpoint.log")

template (name="F5" type="string" string="/var/log/splunk/F5/%HOSTNAME%/f5_waf.log")


ruleset (name="network-logs") {
#if $HOSTNAME startswith "SCMD-SPL-DEPS" then { action (type="omfile" dynafile="test" template="rsyslog-fmt") stop }

#if $fromhost-ip=="10.40.71" then { action (type="omfile" dynafile="test" template="rsyslog-fmt") stop }

action (type="omfile" file="/var/log/splunk/uncategorised.log" template="rsyslog-fmt-unc") stop
}


#input (type="imtcp" port="514" ruleset="network-logs")

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...