Solved: How to disable hostname chaining?

zliu · ‎03-26-2010

How to disable hostname chaining? Splunk picks the chained hostname rather than the original.

zliu · ‎03-26-2010

There are two alternative solutions for this issue: >

Modify the configuration of syslog server to disable hostname chaining. This is the preferred method since it removes one of the moving parts in this equation and ensures that events being sourceypted as syslog that do not have a chained hostname are not impacted Below is a link for syslog-ng.conf reference: http://linux.die.net/man/5/syslog-ng.conf Look for "chain_hostnames"

Create a props.conf file under your $SPLUNK_HOME/etc/apps/SplunkEnterrpiseSecuritySuite/local with below content:

[syslog] TRANSFORMS = syslog-header-stripper-ts-host, syslog-host

This will tell Splunk to remove the the chained hostname and timestamp from the event and then extract the hostname from the newly modified event.

View solution in original post

zliu · ‎03-26-2010

There are two alternative solutions for this issue: >

Modify the configuration of syslog server to disable hostname chaining. This is the preferred method since it removes one of the moving parts in this equation and ensures that events being sourceypted as syslog that do not have a chained hostname are not impacted Below is a link for syslog-ng.conf reference: http://linux.die.net/man/5/syslog-ng.conf Look for "chain_hostnames"

Create a props.conf file under your $SPLUNK_HOME/etc/apps/SplunkEnterrpiseSecuritySuite/local with below content:

[syslog] TRANSFORMS = syslog-header-stripper-ts-host, syslog-host

This will tell Splunk to remove the the chained hostname and timestamp from the event and then extract the hostname from the newly modified event.

How to disable hostname chaining?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk