We are forwarding the messages and secure file to our Splunk server via rsyslog. The files for each server are placed in a separate directory (/var/log/remote/year/month/day/server_name/messages and secure) and ingested into Splunk. Splunk is extracting the correct host name from the messages file, but not the secure file. Each of these files has the same format in regards to date and host name, but for some reason Splunk is assigning the value "splunkserver" as the host name for the contents of the secure file.
↧