Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I avoid from adding an original hostname(or, IP address) to _SYSLOG_ROUGING event when forwarding a third party server?

Masa
Splunk Employee
Splunk Employee
‎01-31-2019 03:03 PM

How can I avoid from adding an original hostname(or, IP address) to _SYSLOG_ROUGING event when forwarding a third party server?

I can see that Splunk add host information to original syslog event when using _SYSLOG_ROUTING to forward syslog events to a third party server?

Below is an example added the server's IP address 192.168.10.111 which was already in the original event.

192.168.10.111 Mar 16 00:01:29 192.168.10.111 postfix/qmgr[1106]: EA11004022: from=, size=3514, nrcpt=1 (queue active)

How can I remove the host name?

Tags (1)
0 Karma
Reply

Masa
Splunk Employee
Splunk Employee
‎01-31-2019 03:09 PM

Probably you're using non-syslog sourcetype. In that case, try syslogSourceType attribute in outputs.conf. This should avoid adding the originated hostname. 

syslogSourceType = <string>
* Specifies an additional rule for handling data, in addition to that 
  provided by the 'syslog' source type.
* This string is used as a substring match against the sourcetype key. For
  example, if the string is set to "syslog", then all sourcetypes
  containing the string 'syslog' receive this special treatment.
* To match a sourcetype explicitly, use the pattern
  "sourcetype::sourcetype_name".
    * Example: syslogSourceType = sourcetype::apache_common
* Data that is "syslog" or matches this setting is assumed to already be in 
  syslog format. 
* Data that does not match the rules has a header, optionally a timestamp 
  (if defined in 'timestampformat'), and a hostname added to the front of 
  the event. This is how Splunk software causes arbitrary log data to match syslog expectations.
* No default.

For more detail,
Official Doc:
https://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkEnterprisehandlessyslogdata
Community Wiki: (old)
https://wiki.splunk.com/Community:Test:How_Splunk_behaves_when_receiving_or_forwarding_udp_data

alt text

Preview file
1 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...