Solved: How to disable hostname chaining?

zliu · ‎03-26-2010

How to disable hostname chaining? Splunk picks the chained hostname rather than the original.

zliu · ‎03-26-2010

There are two alternative solutions for this issue: >

Modify the configuration of syslog server to disable hostname chaining. This is the preferred method since it removes one of the moving parts in this equation and ensures that events being sourceypted as syslog that do not have a chained hostname are not impacted Below is a link for syslog-ng.conf reference: http://linux.die.net/man/5/syslog-ng.conf Look for "chain_hostnames"

Create a props.conf file under your $SPLUNK_HOME/etc/apps/SplunkEnterrpiseSecuritySuite/local with below content:

[syslog] TRANSFORMS = syslog-header-stripper-ts-host, syslog-host

This will tell Splunk to remove the the chained hostname and timestamp from the event and then extract the hostname from the newly modified event.

View solution in original post

zliu · ‎03-26-2010

There are two alternative solutions for this issue: >

Modify the configuration of syslog server to disable hostname chaining. This is the preferred method since it removes one of the moving parts in this equation and ensures that events being sourceypted as syslog that do not have a chained hostname are not impacted Below is a link for syslog-ng.conf reference: http://linux.die.net/man/5/syslog-ng.conf Look for "chain_hostnames"

Create a props.conf file under your $SPLUNK_HOME/etc/apps/SplunkEnterrpiseSecuritySuite/local with below content:

[syslog] TRANSFORMS = syslog-header-stripper-ts-host, syslog-host

This will tell Splunk to remove the the chained hostname and timestamp from the event and then extract the hostname from the newly modified event.

How to disable hostname chaining?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases