Hi,
This isn't a splunk question, but I figure this community probably has a lot of people who use rsyslog...
I have my rsyslog.conf setup to use dynafiles, and messages are written out to specific files for each host:
$template DynaFile,"/apps/log/system-%HOSTNAME%.log"
$FileOwner splunk
. -?DynaFile
This config is working, except for one host. The hostname is not getting picked up for this host. I did notice that the messages are a little different (see below), but I'm not sure if that should cause rsyslog not to detect the host. I checked with engineering, and the messages are being directly from the device - there is no intermediary. Anyone ever seen this?
Jan 9 08:54:49 01/09/2013: 08:54:49 hostxxxx PPE-0 : SSLLOG SSL_HANDSHAKE_SUCCESS 242099 : SPCBId 246946 - ClientIP 1.2.3.4 - ClientPort 60900 - VserverServiceIP 1.2.3.4 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "RC4-MD5 TLSv1 Non-Export 128-bit" - Session New
Jan 9 08:54:49 01/09/2013: 08:54:49 hostxxxx PPE-0 : UI CMD_EXECUTED 242100 : User aaaaa - Remote_ip 1.2.3.4 - Command "logout" - Status "Success"
Jan 9 08:54:51 01/09/2013: 08:54:51 hostxxxx PPE-0 : SSLLOG SSL_HANDSHAKE_SUCCESS 242101 : SPCBId 246947 - ClientIP 1.2.3.4 - ClientPort 60901 - VserverServiceIP 1.2.3.4 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "RC4-MD5 TLSv1 Non-Export 128-bit" - Session Reuse
How do these messages differ from messages where the %HOSTNAME%
works? Please post an example. You are right, though. This is not really a splunk issue...but I've run into similar problems some time ago, and had to resort to using the $fromhost-ip
variable instead.
This should work the same, but your files will be called 10.11.12.13.log etc, and in Splunk you'll get IP addresses as host
instead of a hostname (if you use host_regex
in inputs.conf
to set the host
field). If you have this setup as the sourcetype syslog
, Splunk will check each and every message to set the host
field, and might possibly fail for the same resaons that rsyslog does.
Note that using $fromhost-ip will only work well if the devices send their logs directly to the rsyslog server, without relays.
Hope this helps,
Kristian