Getting Data In

Hostname in file monitoring of syslog

nlspears01
Engager

Hi,

I have Splunk monitoring a Kiwi log files of syslog data. The problem I am having is the the source of the data is showing the syslog server hostname instead of the actual source that the syslog data came from. Is there a way to change this? I know that when I monitor UDP and have the syslog data sent directly to splunk it shows the correct source. Unfortunately, Kiwi is already using this port which resides on the same server as splunk.

Tags (1)
1 Solution

FunPolice
Path Finder

Splunk doesn't "see" the real source host, as Kiwi is sitting in between. You need to tell Splunk where to find the hostname in the event (search for "Override default host values based on event data" in the user manual).

Kiwi may "break" some extractions because it can add its own timestamp (depending on which file format you choose to save as). We are saving in "Kiwi format ISO yyyy-mm-dd (Tab delimited). For Cisco devices I use the following:

props.conf

[cisco_firewall]
TRANSFORMS-extract = cisco_firewall_hostoverride

transforms.conf

[cisco_firewall_hostoverride]
DEST_KEY = MetaData:Host
REGEX = \S+\t\S+\s(.*)\t+
FORMAT = host::$1

The start of a Cisco firewall event that has been logged by Kiwi looks like

2011-04-15 15:18:45 Local4.Info 10.11.12.13

Looking back, my regex could be a bit tidier, but it works.

  • The \S+\t matches everything that isn't whitespace that appears before a tab (15:18:45)
  • The next \S+\s matches the facility and severity (Local4.Info) - the \s should probably be a \t, but it still works fine.
  • The (.*)\t+ "captures" the host (10.11.12.13) as all the characters before the next tab.

View solution in original post

yannK
Splunk Employee
Splunk Employee

My method to use the sender host for syslog instead of the host in the events

If your sourcetype is syslog, them the host is extracted from the events, not from the server host (defined in inputs.conf)

To avoid this please use this special sourcetype "syslog_nohost"
on the indexer in my .../local/props.conf, then restart to apply

[syslog_nohost]
 #was TRANSFORMS = syslog-host
TRANSFORMS =
pulldown_type = true 
maxDist = 3
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
REPORT-syslog = syslog-extractions
SHOULD_LINEMERGE = False

then and specify the host value in inputs.conf, then restart to apply.

[monitor:///var/log/mylog] 
sourcetype=syslog_nohost 

Later while searching I can use sourcetype=syslog*
or even in the manager do a sourcetype renaming of syslog_hohost to syslog (to be compatible with other apps)

0 Karma

FunPolice
Path Finder

In this case the syslog events have been collected by Kiwi, so all events appear to have come from the Kiwi server. Kiwi then adds other information to the event, so it is no longer purely syslog format.

0 Karma

FunPolice
Path Finder

Splunk doesn't "see" the real source host, as Kiwi is sitting in between. You need to tell Splunk where to find the hostname in the event (search for "Override default host values based on event data" in the user manual).

Kiwi may "break" some extractions because it can add its own timestamp (depending on which file format you choose to save as). We are saving in "Kiwi format ISO yyyy-mm-dd (Tab delimited). For Cisco devices I use the following:

props.conf

[cisco_firewall]
TRANSFORMS-extract = cisco_firewall_hostoverride

transforms.conf

[cisco_firewall_hostoverride]
DEST_KEY = MetaData:Host
REGEX = \S+\t\S+\s(.*)\t+
FORMAT = host::$1

The start of a Cisco firewall event that has been logged by Kiwi looks like

2011-04-15 15:18:45 Local4.Info 10.11.12.13

Looking back, my regex could be a bit tidier, but it works.

  • The \S+\t matches everything that isn't whitespace that appears before a tab (15:18:45)
  • The next \S+\s matches the facility and severity (Local4.Info) - the \s should probably be a \t, but it still works fine.
  • The (.*)\t+ "captures" the host (10.11.12.13) as all the characters before the next tab.

Michael_Wilde
Splunk Employee
Splunk Employee

I'd recommend getting rid of the .* in there and just substituting that with a (\S+). .* will match the entire line and a regex engine then has to backtrack, character by character.

0 Karma

foysol_bgd
New Member

I am trying to monitor a kiwi syslog circular file as well by Splunk and stuggling to see the hostnames in Splunk.
I created prop.conf and transforms.conf as you mentioned and saved them in here :\Program Files\Splunk\etc\system\local.

Looks like this is not working and still the hostnames are server name and not the hostname that in the syslog.
I restart the service as well and did not help .

Any advice?

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

It sounds to me like your asking about hostname chaining. If this is correct, please see the following answer:

http://answers.splunk.com/questions/897/how-to-disable-hostname-chaining

0 Karma

jrodman
Splunk Employee
Splunk Employee

nlspears01: There is a transform that accomplishes this for sourcetype syslog, as mikelanghorst suggested. If you are using an alternate sourcetype, you could simply use the one we use, if the data is formatted the same way. I recommend taking a peek at etc/system/default/props and transforms to see how this is done for syslog.

jbsplunk
Splunk Employee
Splunk Employee

That should be possible. I am not sure exactly what the log files your talking about look like, but a similar solution is discussed here:

http://answers.splunk.com/questions/1673/hostname-rename-using-transforms

0 Karma

nlspears01
Engager

To better explain. I have Splunk monitoring a Kiwi log file. When I set up the input it asked to "SET HOST" with constant, regex, or segment in path. I put constant and put the server hostname, but obviously this is putting the server's hostname in the host field of the syslogs that I receive in Splunk. Is there a way around this, such as a regex expression that will pull the hostname from the log and not overwrite it with the constant host?

0 Karma

mikelanghorst
Motivator

Need some more details on your situation. It sounds like Kiwi is receiving the data and writing the log which you're reading in Splunk? What's your sourcetype set to for this input? If set to sourcetype=syslog in your inputs.conf it should read the file for that information. Could you paste the relevant section from your inputs.conf?

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...