A local syslog process receives data from multiple remote syslog processes and writes the data to a local file indexed by Splunk. That file ends contains events with different formats. When Splunk indexes records from one of the remotes, the hostname is the Splunk hostname rather than the remote hostname, with the 'process' value erroneously parsed. Data from the local log:
----------
Feb 28 03:49:10 the-imac storeassetd[451]: DAAPClient: pollForUpdate did not load items because localVersion=latestVersion (1452382014=1452382014), forcedUpdate=0
Feb 28 03:49:41 device/12345678901234 - L4: action=DROP reason=DIRECTION-DOWN hook=FORWARD mark= IN=br1 OUT=br2 MAC=00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:00 SRC=192.168.1.180 DST=111.111.111.111 LEN=83 TOS=0x00 PREC=0x00 TTL=63 ID=29145 DF PROTO=TCP MALFORMED=TCP-HEADER
Feb 28 03:50:03 localhost.localdomain crond(pam_unix)[1111]: session opened for user root by (uid=0)
----------
The middle record is parsed incorrectly, with host set to the local Splunk hostname (rather than 'device', with or without the trailing tag following the "/"), and process indexed as 'L4'.
Would it be a local transform which corrects this behavior?
↧