Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Forward logs to 3rd party syslog server without additional timestam/oroginated host field

ikulcsar
Communicator
‎06-20-2017 01:54 AM

Hi,

We have a syslog input with non-syslog sourcetype over TCP. Everything looks good in Splunk. However, we have to forward these logs to a 3rd party syslog server.

We are facing with the 2nd and 3rd scenario on these links: (but with tcp input)
http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkEnterprisehandlessyslogdata
https://wiki.splunk.com/Community:Test:How_Splunk_behaves_when_receiving_or_forwarding_udp_data

2nd scenario: Splunk attach the originated host field: 3rd party server doesn't like it...
3rd scenario: attach a new timestamp and the originated host field. 3rd party system can handle, but event getting to be too long.

Is there any way to solve this problem? How to not attach originated host filed or any other suggestion?
Am I miss a documentation about it?

Regards,
István

Tags (1)
0 Karma
Reply

micahkemp
Champion
‎06-20-2017 07:25 AM

Check out syslogSourceType in outputs.conf:

syslogSourceType = <string>
* Specifies an additional rule for handling data, in addition to that 
  provided by the 'syslog' source type.
* This string is used as a substring match against the sourcetype key.  For
  example, if the string is set to 'syslog', then all source types
  containing the string 'syslog' will receive this special treatment.
* To match a source type explicitly, use the pattern
  "sourcetype::sourcetype_name".
    * Example: syslogSourceType = sourcetype::apache_common
* Data which is 'syslog' or matches this setting is assumed to already be in 
  syslog format. 
* Data which does not match the rules has a header, optionally a timestamp 
  (if defined in 'timestampformat'), and a hostname added to the front of 
  the event. This is how Splunk causes arbitrary log data to match syslog 
  expectations.
* Defaults to unset.

Try setting syslogSourceType to the sourcetype of your non-syslog data so Splunk will assume it is already in syslog format (even thought it's not).

Reply

ikulcsar
Communicator
‎06-23-2017 06:48 AM

Thank you. We tried it in our lab with no luck. We plan to test it with the specific, 'real' logs, but it will takes time. There are a lot of other scheduled task now.

Regards,
István

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...