- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Changing Syslog Source type for directories
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We're using Syslog-ng in our environment and have a forwarder setup on syslog-ng to forward the logs to Splunk. But when they're indexed in Splunk, the sourcetype is "syslog". Is it possible to set this to the actual source type? For example our syslog-ng directory structure looks like such:
/logs/log-type/hostname/
I want to be able to set log-type to be the sourcetype in Splunk. It has to be possible!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You would have to set up different monitor stanzas in inputs.conf on the forwarder, e.g.;
[monitor:///logs/nginx/*/]
index = your_index
sourcetype = nginx
host_segment = 3
[monitor:///logs/cisco/*/]
index = your_index
sourcetype = cisco
host_segment = 3
etc etc
If you do not specify sourcetype (which I assume you have not done) Splunk will probably identify and classify it as syslog. And syslog is a sourcetype (the only one I think) where Splunk will automatically extract and set the host for each event in the log individually, i.e. not on a per file basis.
Therefore you will also have to set the host value manually, but the host_segment lets you set this from the path being monitored.
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the inputs file, I have this and it worked:
[monitor:///logs/static-httpd-error-log/*/*.log]
sourcetype = static-httpd-error-log
index = main
host_segment = 3
Thanks for the help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you are most welcome. /k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You would have to set up different monitor stanzas in inputs.conf on the forwarder, e.g.;
[monitor:///logs/nginx/*/]
index = your_index
sourcetype = nginx
host_segment = 3
[monitor:///logs/cisco/*/]
index = your_index
sourcetype = cisco
host_segment = 3
etc etc
If you do not specify sourcetype (which I assume you have not done) Splunk will probably identify and classify it as syslog. And syslog is a sourcetype (the only one I think) where Splunk will automatically extract and set the host for each event in the log individually, i.e. not on a per file basis.
Therefore you will also have to set the host value manually, but the host_segment lets you set this from the path being monitored.
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This goes on the forwarder? Or should it be on the inputs.conf on the index?
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
