- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to get segregated hostname from logs coming on...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get segregated hostname from logs coming onto Heavy forwarder on single syslog 515 port into splunk
I am trying to integrate few servers into Splunk. The servers send syslog data only. Earlier I was having two servers(log sources), so I made the input traffic to come on port 514 and 515 . I used two port to get two host names in the logs. But now the servers count is about 5 servers and I dont feel like giving another 5 separate ports to this 5 servers for getting different host name.
I want to use single port say port 514 as input to my HF for n number of server, and get the n distinguish HOSTs. Can I anyone suggest how can I acheive this in splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ dikshaj,
if you want to ingest syslogs from only a set of servers, you have to follo indications of @nickhills.
If instead you want to ingest syslogs from all the servers, the easiest way to ingest syslogs from different servers is to receive all of them on the same port and then override host value using a regex.
In other words, on Heavy Forwarder you have to add a props.conf stanza (located in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/) like this:
[your_sourcetype]
TRANSFORMS-override_host = override_host
and in a transforms.conf stanza:
[override_host]
REGEX = <your_regex>
FORMAT = host::$1
DEST_KEY = MetaData:Host
Usually syslogs of all servers have hostname after the timestamp and/or IP address, to be more sure check this regex (if you want share an example and I can help).
For more infos see at https://docs.splunk.com/Documentation/SplunkCloud/8.0.1/Data/Overridedefaulthostassignments .
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you not use Rsyslog - if I understand the question - you want the syslog to create unique host information ?
$template RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log"
Then apply this template to messages coming from remote hosts :
$RuleSet remote
. ?RemoteHost
Then have Splunk then monitor the entire /var/syslog/hosts/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Take a look here:
https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/Monitornetworkports
Specifically "Specify input settings"
If you are configuring using inputs.conf you should add:
connection_host = ip | dns | none
"ip" sets the host to the IP address of the remote server.
"dns" sets the host to the DNS entry of the remote server.
"none" leaves the host as specified - ie your HF
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you look into below answer
https://answers.splunk.com/answers/489248/what-is-the-best-way-to-approach-multiple-udp-sysl.html
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
