Hi Jeremiah, this log is from a Cisco switch sending syslog to SPLUNK.
We are also seeing multiple headers in logs from other systems as well coming in on source udp:514.
It appears as though SPLUNK is attaching another header before it goes out .
I have also attached all of the outputs stanzas at the end.
Below log is what's sent to external logger from another host. there are multiple headers again.
external logger
Jan 29 16:52:32 esx.mydomain Jan 29 16:52:32 esx.mydomain 2016-01-29T21:52:32.963Z ESX.MYDOMAINVpxa: [FF96FB90 verbose 'hostdstats']
SPLUNK
Jan 29 16:52:32 esx.mydomain 2016-01-29T21:52:32.978Z ESX.MYDOMAIN Vpxa: [FF96FB90 verbose 'hostdstats'] Set internal stats for VM
OUTPUTS:
[tcpout]
maxQueueSize = 500KB
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = _audit
forwardedindex.filter.disable = false
indexAndForward = false
autoLBFrequency = 30
blockOnCloning = true
compressed = false
disabled = false
dropClonedEventsOnQueueFull = 5
dropEventsOnQueueFull = -1
heartbeatFrequency = 30
maxFailuresPerInterval = 2
secsInFailureInterval = 1
maxConnectionsPerIndexer = 2
forceTimebasedAutoLB = false
sendCookedData = true
connectionTimeout = 20
readTimeout = 300
writeTimeout = 300
useACK = false
#defaultGroup=nowhere
[syslog]
defaultGroup =
[syslog:Everything]
disabled = true
timestampformat = %b %e %H:%M:%S
server = x.x.x.x:514
[syslog:ext_logger]
disabled = false
timestampformat = %b %e %H:%M:%S
server = x.x.x.x:514
... View more