I've got a weird issue with some Cisco WAAS devices identifying their hostname correctly in Splunk. We are in the process of migrating from an old solution to Splunk and previously got the correct hostnames for these.
I started using rsyslogd and it was breaking messages down into directories like this:
/var/log/syslog/%HOSTNAME%/%HOSTNAME%.log
Then Splunk was indexing these directories.
Well I ended up with some directories named '2012' and some directories named 'Apr'. Which are messages from our WAAS devices.
So to test it out I have disabled the indexing of this source and forwarded messages from rsyslogd to localhost on a different interface. Splunk still identifies the host according to part of the date. I have the option setup to set the source using DNS. And I have verified DNS lookup is functioning.
Any thoughts as to why these devices would not work and everything else seems to be fine?
Thanks!
... View more