Hi,
I have a network device that sends to Splunk syslog messages using udp 514. The messages are like:
Wed Jun 13 17:37:09 2012: <182>receive event capwap disconnect: eventid = 88: length = 0
Wed Jun 13 17:37:46 2012: <182>[wifi]: wifi0: reduce CCA to 49
Wed Jun 13 17:37:51 2012: <182>CAPWAP: capwap predefine server name file isn't exist.
(this messages are captued using tftpd32 syslog server)
When I receive these messages in Splunk I see that string "<182>" is missed. I used "Show source" option search view, and I got this messages:
Jun 13 17:37:09 213.96.11.95 receive event capwap disconnect: eventid = 88: length = 0
Jun 13 17:37:46 213.96.11.95 [wifi]: wifi0: reduce CCA to 49
Jun 13 17:37:51 213.96.11.95 CAPWAP: capwap predefine server name file isn't exist.
Does anyone know what's happening?
Regards,
To elaborate on the earlier answer:
By default, splunk strips the syslog priority from incoming syslog messages.
to stop this behavior, add "no_priority_stripping = true" to your syslog source.
there is an app on splunkbase syslog_priority_lookup that will extract this and create facility and severity fields at search time - very useful information.
I can see in the network capture that <182> is the syslog level info.
It seems Splunk does not analyse syslog protocol correctly.