Re: Hostname lost in forwarded syslog messages

micuzzu · ‎06-23-2014

Hi,
I have a central syslog server, collecting auth.* messages from many Linux hosts in the /var/log/secure file. Then they are forwarded to Splunk by a Universal Forwarder.
The problem is that Splunk sees all these messages with host = "syslog server".

What's the simplest method to use the real originating host, that is always present after date/time:

Jun 23 17:52:36 host01 sshd[12447]: pam_unix(sshd:session): session opened for user jsmith b
y (uid=0)

yannK · ‎06-23-2014

if you use the "syslog" sourcetype, then the host should be extracted from the events.

To understand the mechanism, look at the $SPLUNK_HOME/etc/default/props.conf [syslog]
and $SPLUNK_HOME/etc/default/transforms.conf [syslog-host]

DEST_KEY = MetaData:Host REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s FORMAT = host::$1

micuzzu · ‎06-26-2014

I tried on a test Splunk server, loading directly the file /var/log/secure of the syslog central server and it works 😉

Now how can I correct the behaviour on the production Splunk server, receiving forwarded events?

yannK · ‎06-24-2014

Inputs are in inputs.conf (in $PSLUNK_HOME/etc/apps//default or /local, or in the $SPLUNK_HOME/etc/system/local)

Try to change the sourcetype to syslog to get the extraction.

micuzzu · ‎06-23-2014

OK, in fact they are now actually indexed using "linux_secure" sourcetype.
Where are defined input data for forwarded events (I'm a newbie)?

Hostname lost in forwarded syslog messages

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases