- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: syslog differences between centos5 and 6
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
syslog differences between centos5 and 6
Hi everyone,
I'm noticing that my centos 6 (rsyslog) hosts are showing up different in splunk compared to my cent5 (syslog) hosts.
cent6:
Feb 13 17:22:15 rsyslog6client.domain.com Feb 13 17:22:15 rsyslog6client sshd[30586]: pam_unix(sshd:session): session closed for user dmurphy
cent5:
Feb 13 17:22:21 syslog5client.domain.com sshd[13812]: pam_unix(sshd:session): session closed for user dmurphy
Notice the double timestamp and host on the cent6 box. Any ideas what might be causing that? Not sure if it's syslog adding it, or splunk adding stuff when parsing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check the blog for more details.
http://onlinedocs.info/setup-a-remote-syslog-server-in-centos-6/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hrm - not so sure that is it. I just tried every format listed on that page - except for debug, and the timestamps never changed in splunk - still getting the duplicates.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible that rsyslog is sending stuff over in a way that splunk doesn't know how it should be tagged so it's not doing any stripping? Doesn't seem right because both are appearing under sourcetype=syslog.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And did you check the raw output from rsyslog, after you restarted it, to ensure it had only the one timestamp?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
spot on.
So now the question is, which format do I want? I'm thinking either RSYSLOG_FileFormat or RSYSLOG_ForwardFormat? Do you know which will give me entries similar to the below in splunk?
Feb 13 17:22:21 syslog5client.domain.com sshd[13812]: pam_unix(sshd:session): session closed for user dmurphy
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rsyslog replaced syslog in Cent OS 6.
Odds are, it is configured to use RSYSLOG_TraditionalFileFormat
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
Splunk APM: New Product Features + Community Office Hours Recap!
Index This | Forward, I’m heavy; backward, I’m not. What am I?
