Changing Syslog Source type for directories

Question

We're using Syslog-ng in our environment and have a forwarder setup on syslog-ng to forward the logs to Splunk. But when they're indexed in Splunk, the sourcetype is "syslog". Is it possible to set this to the actual source type? For example our syslog-ng directory structure looks like such:

/logs/log-type/hostname/

I want to be able to set log-type to be the sourcetype in Splunk. It has to be possible!

Accepted Answer

You would have to set up different monitor stanzas in inputs.conf on the forwarder, e.g.;

[monitor:///logs/nginx/*/]
index = your_index
sourcetype = nginx
host_segment = 3

[monitor:///logs/cisco/*/]
index = your_index
sourcetype = cisco
host_segment = 3

etc etc

If you do not specify sourcetype (which I assume you have not done) Splunk will probably identify and classify it as syslog. And syslog is a sourcetype (the only one I think) where Splunk will automatically extract and set the host for each event in the log individually, i.e. not on a per file basis.

Therefore you will also have to set the host value manually, but the host_segment lets you set this from the path being monitored.

Hope this helps,

Kristian

Answer 2

0

In the inputs file, I have this and it worked:

[monitor:///logs/static-httpd-error-log/*/*.log]
sourcetype = static-httpd-error-log
index = main
host_segment = 3

Thanks for the help!

link

answered 06 Apr '12, 09:43

nkitmitto
61●5
accept rate: 0%

edited 06 Apr '12, 13:30

you are most welcome. /k

(06 Apr '12, 13:36) kristian.kolb

Changing Syslog Source type for directories

Follow this question

Splunk Resources

Related questions