Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

More syslog forwarding fun...

Steve_Litras
Path Finder
‎09-30-2010 10:23 PM

So I've got forwarding of splunk data set up for certain systems in my environment to go to a 3rd party, in addition to through splunk. However, it looks like the host field doesn't get included in that forward, so the 3rd party just sees all this data coming from one system, with no differentiation of where the events originally came from (they're coming from a light forwarder, through an intermediate forwarding layer, into the indexing layer and being forwarded at the index layer via syslog).

Is the host field being dropped? Is there a way to add it back in?

Tags (2)
0 Karma
Reply

gfriedmann
Communicator
‎02-04-2011 09:15 PM

I've worked with multiple systems and here are two things to try individually or together 1) Make sure the log message outputed by the output will include the original origin IP address as the first part of the message... just after the priority and timestamp if it is present. in syslog-ng, this sort of formatting looks like "template("$STAMP $HOST $MSG\n")"

2) Try using TCP. Some receivers take TCP transport as a cue that the soruce might be a forwarder with some intelligence.

Regarding truncation before an expected 1.5k max, i have seen truncation at half the set value in some systems due to UTF16 representation doubling the amount of interpreted length somewhere along the way.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-01-2010 05:42 AM

Make sure you are not setting syslogSourceType in your output group configuration. You should probably also set priority and timestampformat. I believe that setting syslogSourceType to something other than "syslog" (or whatever the default is) stops Splunk from prepending the host.

You will also need to set timestampformat if you want Splunk to add the Splunk event timestamp, or you can try to count on the target server to prepend the current time.

0 Karma
Reply

Steve_Litras
Path Finder
‎10-01-2010 05:59 PM

I'm not using setting syslogSourceType anywhere in my config. I did some tcpdumps on the server, and it looks like all the syslog output it getting truncated, but not at a consistent length (well under the 1.5K MTU). I haven't changed the default truncation value.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...