We run a central Syslog-NG server, which all the logs for the servers and devices we care about get sent to. We use this to send a copy of this log stream to various different log analyzers, including Splunk. When Splunk gets this data however, it appends the time it got the log and the host it came from, the syslog server, to each log. This seems to screw up Splunk's syslog field extraction.
Searching around, I found this built-in transform, which I added to my props.conf like this: (we're using port 515 here, since 514 is being used for something else at the moment)
[source::udp:515]
TRANSFORMS-stripheader=syslog-header-stripper-ts-host
That works, except the fields seem to have been extracted before the transform gets applied in the process. That is, the host= still shows the syslog server as the host, even though all mention of it was removed from the event. What's the best way to correct this?
To make the matter even more complicated, the incoming stream has things other than syslog data in it. Our windows domain controllers, web proxy, etc log there as well. Do I need to have these log to different inputs, or will Splunk handle this on its own? I imagine this is easier to do once Splunk recognizes different hosts, though.
Thanks,
- Eric
... View more