Community:Test:How Splunk behaves when receiving or forwarding udp data

From Splunk Wiki

Jump to: navigation, search

Splunk Syslog data handling


- Inputs UDP
For udp data with syslog priority information, Splunk behaves as a syslog server and appends a timestamp and connected host(or ip) to the udp data. This behavior could be disabled by "no_appending_timestamp = true" in inputs.conf. If you want to keep a syslog header, such as <13>, instead of stripping it out, you can use "no_priority_stripping = true" in inputs.conf. Please note that TCP inputs does not have these behavior. So if you send syslog message from a network device or any syslog client to Splunk over TCP, Splunk will not strip a syslog header off.


- Outputs Syslog (_SYSLOG_ROUTING)
When Splunk forward events to a syslog server, Splunk append priority information (default is <13>) to an event so that a syslog server can translate events with proper priority. Then, a general syslog server will append a timestamp, priority and connected host name, which is Splunk forwarder in this case. Also, it is possible to append a timestamp and host name to the event at the time forwarding the event to a syslog server. NOTE: A Splunk with free license does not have this feature


The following diagram shows default behavior of Splunk for two differently formatted syslog messages.
(There are some options to change this behavior. Please read Splunk online doc/outputs.conf.spec file for more information.)

  • Message A shows a typical UDP syslog packet
  • Message B shows a packet which lacks the normal priority/facility numeric prefix.

Splunk Syslog messages v00.jpg



The following diagram shows default behavior of Splunk for two differently formatted non-syslog sourcetype messages. (There are some options to change this behavior. Please read Splunk online doc/outputs.conf.spec file for more information.)

  • Message A shows a typical UDP syslog packet but Splunk is parsing the event as non-syslog soucetype
  • Message B shows a packet which lacks the normal priority/facility numeric prefix, and Splunk is parsing the event as non-syslog sourcetype
  • Note that input stage is same as syslog sourcetype events. Output of Splunk will have an originated host in front of the event.

Splunk Syslog messages nonsyslog v00.jpg




The following diagram shows default behavior of Splunk for two differently formatted non-syslog sourcetype messages with timestampformat attribute. (There are some options to change this behavior. Please read Splunk online doc/outputs.conf.spec file for more information.)

  • Message A shows a typical UDP syslog packet but Splunk is parsing the event as non-syslog soucetype
  • Message B shows a packet which lacks the normal priority/facility numeric prefix, and Splunk is parsing the event as non-syslog sourcetype
  • Note that input stage is same as syslog sourcetype events. Output of Splunk will have a timestamp and an originated host in front of the event.

Splunk Syslog messages nonsyslog timestampformat v00.jpg

Test and Results about How Splunk Handles Udp/syslog/non-syslog sourcetype events

####################################################
# 
# Test Procedure Overview (Tested in v5.0.1)
#
####################################################

1. Set up UDP listener (server) to forward events from Splunk
2. Set up Splunk to listen udp and forward the udp data 
3. Restart Splunk
4. Run real time search to monitor incoming udp data
5. Send a test string to the udp
6. Check the result both in Splunk and UDP server




####################################################
#
# Test Results
# ( Instead of step 4, I used  a historical search after step 5)
#
####################################################


1. Set up UDP listener (server) to forward events from Splunk
=> Used a small perl script to add received ip info. (For simple test,  you can use netcat -lu )


2. Set up Splunk to listen udp and forward the udp data 


- inputs.conf
[udp://55515]
connection_host = ip
sourcetype = syslog
 
- props.conf
[source::udp:55515]
TRANSFORMS-fwd2syslog = syslogout

- transforms.conf
[syslogout]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = udpserver

- outputs.conf
[syslog:udpserver]
server = 127.0.0.1:55554


3. Restart Splunk


4. Send a test string to the udp
- Only raw data
=> Failed to parse Host (route01) as default props.conf behavior because this time format is not "syslog-like" 
# echo "`date` router01 test1 ERROR" | nc -w 1 -u 10.1.12.1 55515

- Even simply only "ERROR"
=> Host is IP address of the remote host 
# echo "ERROR" | nc -w 1 -u 10.1.12.1 55515

- Add <13> so that Splunk acts as a syslog server to append time and connected host
# echo "<13> `date` router01 test1 ERROR" | nc -w 1 -u 10.1.12.1 55515

- Use syslog-like time format
=> Host (route01) will be parsed by Splunk as default props.conf behavior
# echo "<13> `date +'%a %h %H:%M:%S'` router01 test1 ERROR" | nc -w 1 -u 10.1.12.1 55515



5. Check the result both in Splunk
=> Can see Splunk will add time and connected host info. only when <13> PRI was received

Preview of: index=custom* | eval T=_time | convert ctime(T) | eval IT=_indextime | eval R=_raw | sort IT | table T sourcetype host R

         T          sourcetype     host                                            R
------------------- ---------- ------------ -------------------------------------------------------------------------------
04/02/2013 13:34:52 syslog     PDT          Tue Apr  2 13:34:52 PDT 2013 router01 test1 ERROR
04/02/2013 13:35:03 syslog     10.160.31.14 ERROR
04/02/2013 13:35:31 syslog     10.160.31.14 Apr  2 13:35:31 10.160.31.14  Tue Apr  2 13:35:31 PDT 2013 router01 test1 ERROR
04/02/2013 13:36:06 syslog     10.160.31.14 Apr  2 13:36:06 10.160.31.14  Tue Apr 13:36:06 router01 test1 ERROR




6. Check the result both in UDP server
=> Can see Splunk's _SYSLOG_ROUTING add <13> so that a syslog server can append proper information if needed
=> No host name was added to these events at forwarding stage because Splunk assumes any "syslog" sourcetype are already "syslog-formated(HOST MSG)"

Tue Apr  2 13:34:52 2013:Received From 127.0.0.1:53895:  <13>Tue Apr  2 13:34:52 PDT 2013 router01 test1 ERROR
Tue Apr  2 13:35:03 2013:Received From 127.0.0.1:53895:  <13>ERROR
Tue Apr  2 13:35:31 2013:Received From 127.0.0.1:53895:  <13>Apr  2 13:35:31 10.160.31.14  Tue Apr  2 13:35:31 PDT 2013 router01 test1 ERROR
Tue Apr  2 13:36:06 2013:Received From 127.0.0.1:53895:  <13>Apr  2 13:36:06 10.160.31.14  Tue Apr 13:36:06 router01 test1 ERROR


####################################################
#
# Use "no_appending_timestamp = true" if you do not want Splunk to append time and host even when <13> PRI exists 
# 
####################################################


- inputs.conf
[udp://55515]
connection_host = ip
sourcetype = syslog
no_appending_timestamp = true


1. Send this to Splunk
# echo "`date` router01 test1 ERROR" | nc -w 1 -u 10.1.12.1 55515
# echo "ERROR" | nc -w 1 -u 10.1.12.1 55515
- PRI is included
# echo "<13> `date` router01 test1 ERROR" | nc -w 1 -u 10.1.12.1 55515
- Time format is syslog-like
# echo "<13> `date +'%a %h %H:%M:%S'` router01 test1 ERROR" | nc -w 1 -u 10.1.12.1 55515




2. Check Splunk
=> Notice there is no Translation for <13> 
=> When time format is not syslog-like, parsing host name failed

Preview of: index=custom* | eval T=_time | convert ctime(T) | eval IT=_indextime | eval R=_raw | sort IT | table T sourcetype host R

         T          sourcetype     host                             R
------------------- ---------- ------------ -------------------------------------------------
04/02/2013 13:30:47 syslog     PDT          Tue Apr  2 13:30:47 PDT 2013 router01 test1 ERROR
04/02/2013 13:30:47 syslog     10.160.31.14 ERROR
04/02/2013 13:31:02 syslog     PDT          Tue Apr  2 13:31:02 PDT 2013 router01 test1 ERROR
04/02/2013 13:31:11 syslog     router01     Tue Apr 13:31:11 router01 test1 ERROR



3. Check the udp server
Tue Apr  2 13:30:49 2013:Received From 127.0.0.1:39442:  <13>Tue Apr  2 13:30:47 PDT 2013 router01 test1 ERROR
Tue Apr  2 13:30:53 2013:Received From 127.0.0.1:39442:  <13>ERROR
Tue Apr  2 13:31:02 2013:Received From 127.0.0.1:39442:  <13> Tue Apr  2 13:31:02 PDT 2013 router01 test1 ERROR
Tue Apr  2 13:31:11 2013:Received From 127.0.0.1:39442:  <13> Tue Apr 13:31:11 router01 test1 ERROR



####################################################
#
# Testing How to remove a priority from Splunk _SYSLOG_ROUTING
# => In this test, no value for priority did not work (v5.0.1)
# => In 5.0.4, no value for priority should work
#  
####################################################

# Test 1 Use "" with v5.0.2

- outputs.conf
[syslog:udpserver]
server = 10.1.12.1:514
priority = ""

(Received From 127.0.0.1:38795):  ""Wed Mar 13 18:03:54 PDT 2013 router01 test1 ERROR
(Received From 127.0.0.1:38795):  ""ERROR
(Received From 127.0.0.1:38795):  "" Wed Mar 13 18:04:09 PDT 2013 router01 test1 ERROR





# Test 2 no value (v5.0.4 pre-QAed build)
- outputs.conf
[syslog:udpserver]
server = 10.1.12.1:514
priority = 


- Result at the udp server
(Received From 127.0.0.1:58363):  Wed Mar 13 18:00:56 PDT 2013 router01 test1 ERRO
(Received From 127.0.0.1:58363):  ERRO
(Received From 127.0.0.1:58363):  Wed Mar 13 18:01:17 PDT 2013 router01 test1 ERRO


####################################################
#
#  SYSLOG_ROUTING for different sourcetypes
# syslog Vs non-syslog 
#
####################################################

- inputs.conf 
[udp://55515]
sourcetype = syslog
connection_host = ip
index = custom_orig
#no_appending_timestamp = true

[udp://55516]
sourcetype = nonsyslog
connection_host = ip
index = custom_orig

- props.conf
[mytest]
TRANSFORMS-fwd2syslogout = syslogout

[source::udp:55515]
TRANSFORMS-fwd2syslogout = syslogout

[source::udp:55516]
TRANSFORMS-fwd2syslogout = syslogout

- transforms.conf
[syslogout]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = udpserver

- outputs.conf
[syslog:udpserver]
server = 127.0.0.1:55554

### Events ###

[root@centos62-64sup01 ~]# echo "ERROR login failure(udp sending to 55515 sourcetype=syslog)" | nc -w 1 -u 10.1.12.1 55515
[root@centos62-64sup01 ~]# echo "<13> ERROR login failure(udp sending to 55515 sourcetype=syslog)" | nc -w 1 -u 10.1.12.1 55515
[root@centos62-64sup01 ~]# echo "ERROR login failure(udp sending to 55516 sourcetype=nonsyslog)" | nc -w 1 -u 10.1.12.1 55516
[root@centos62-64sup01 ~]# echo "<13> ERROR login failure(udp sending to 55516 sourcetype=nonsyslog)" | nc -w 1 -u 10.1.12.1 55516
[root@centos62-64sup01 ~]# ssh 10.1.12.1
Last login: Tue Apr  2 12:48:00 2013 from centos62-64sup01.splunk.com
[root@beefysup01 splunk501]# cat ./mytest.log
Tue Apr  2 13:52:02 ERROR login failed: masa (sourcetype=mytest oneshot file)
[root@beefysup01 splunk501]# ./bin/splunk add oneshot ./mytest.log -sourcetype mytest -index custom_orig -auth admin:changeme1
Oneshot '/home/masa/splunk501/mytest.log' added


### @Splunk ###

Preview of: index=custom* | eval T=_time | convert ctime(T) | eval IT=_indextime | eval R=_raw | sort IT | table T sourcetype host R

         T          sourcetype     host                                              R
------------------- ---------- ------------ ------------------------------------------------------------------------------------
04/02/2013 13:45:05 syslog     10.160.31.14 ERROR login failure(udp sending to 55515 sourcetype=syslog)
04/02/2013 13:45:21 syslog     10.160.31.14 Apr  2 13:45:21 10.160.31.14  ERROR login failure(udp sending to 55515 sourcetype=syslog)
04/02/2013 13:45:43 nonsyslog  10.160.31.14 ERROR login failure(udp sending to 55516 sourcetype=nonsyslog)
04/02/2013 13:46:00 nonsyslog  10.160.31.14 Apr  2 13:46:00 10.160.31.14  ERROR login failure(udp sending to 55516 sourcetype=nonsyslog)
04/02/2013 13:52:02 mytest     beefysup01   Tue Apr  2 13:52:02 ERROR login failed: masa (sourcetype=mytest oneshot file)




### @udp server events forwarded from Splunk ###
[root@beefysup01 ~]# ./bin/udp_server.pl

Tue Apr  2 13:45:05 2013:Received From 127.0.0.1:59411:  <13>ERROR login failure(udp sending to 55515 sourcetype=syslog)
Tue Apr  2 13:45:21 2013:Received From 127.0.0.1:59411:  <13>Apr  2 13:45:21 10.160.31.14  ERROR login failure(udp sending to 55515 sourcetype=syslog)
Tue Apr  2 13:45:43 2013:Received From 127.0.0.1:59411:  <13> 10.160.31.14 ERROR login failure(udp sending to 55516 sourcetype=nonsyslog)
Tue Apr  2 13:46:10 2013:Received From 127.0.0.1:59411:  <13> 10.160.31.14 Apr  2 13:46:00 10.160.31.14  ERROR login failure(udp sending to 55516 sourcetype=nonsyslog)
Tue Apr  2 13:52:42 2013:Received From 127.0.0.1:59411:  <13> beefysup01 Tue Apr  2 13:52:02 ERROR login failed: masa (sourcetype=mytest oneshot file)



####################################################
#
# SYSLOG_ROUTING for different sourcetypes
# syslog Vs non-syslog 
# Added timestampformat for non-syslog sourcetypes
#  => Note that timestamp was added to non-syslog sourcetype events at _SYSLOG_ROUTING
#
####################################################

- inputs.conf 
[udp://55515]
sourcetype = syslog
connection_host = ip
index = custom_orig
#no_appending_timestamp = true

[udp://55516]
sourcetype = nonsyslog
connection_host = ip
index = custom_orig

- props.conf
[mytest]
TRANSFORMS-fwd2syslogout = syslogout

[source::udp:55515]
TRANSFORMS-fwd2syslogout = syslogout

[source::udp:55516]
TRANSFORMS-fwd2syslogout = syslogout

- transforms.conf
[syslogout]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = udpserver

- outputs.conf
[syslog:udpserver]
server = 127.0.0.1:55554
timestampformat = %b %e %H:%M:%S 



### Events ###

[root@centos62-64sup01 ~]# echo "ERROR login failure(udp sending to 55515 sourcetype=syslog)" | nc -w 1 -u 10.1.12.1 55515
[root@centos62-64sup01 ~]# echo "<13> ERROR login failure(udp sending to 55515 sourcetype=syslog)" | nc -w 1 -u 10.1.12.1 55515
[root@centos62-64sup01 ~]# echo "ERROR login failure(udp sending to 55516 sourcetype=nonsyslog)" | nc -w 1 -u 10.1.12.1 55516
[root@centos62-64sup01 ~]# echo "<13> ERROR login failure(udp sending to 55516 sourcetype=nonsyslog)" | nc -w 1 -u 10.1.12.1 55516
[root@centos62-64sup01 ~]# ssh 10.1.12.1
Last login: Mon Apr 29 17:55:31 2013 from 10.160.255.125
[root@beefysup01 splunk501]# cat ./mytest.log 
Tue Apr 29 18:09:23 ERROR login failed: masa (sourcetype=mytest oneshot file)
[root@beefysup01 splunk501]#  ./bin/splunk add oneshot ./mytest.log -sourcetype mytest -index custom_orig -auth admin:changeme1
Oneshot '/home/masa/splunk501/mytest.log' added



### @Splunk ###

Preview of: index=custom* | eval T=_time | convert ctime(T) | eval IT=_indextime | eval R=_raw | sort IT | table T sourcetype host R

         T          sourcetype     host                                                  R
------------------- ---------- ------------ --------------------------------------------------------------------------------------------
04/29/2013 18:06:41 syslog     10.160.31.14 ERROR login failure(udp sending to 55515 sourcetype=syslog)
04/29/2013 18:06:59 syslog     10.160.31.14 Apr 29 18:06:59 10.160.31.14  ERROR login failure(udp sending to 55515 sourcetype=syslog)
04/29/2013 18:08:07 nonsyslog  10.160.31.14 ERROR login failure(udp sending to 55516 sourcetype=nonsyslog)
04/29/2013 18:08:49 nonsyslog  10.160.31.14 Apr 29 18:08:49 10.160.31.14  ERROR login failure(udp sending to 55516 sourcetype=nonsyslog)
04/29/2013 18:09:23 mytest     beefysup01   Tue Apr 29 18:09:23 ERROR login failed: masa (sourcetype=mytest oneshot file)



### @udp server events forwarded from Splunk ###
[root@beefysup01 ~]# ./bin/udp_server.pl

Mon Apr 29 18:06:41 2013:Received From 127.0.0.1:40161:  <13>ERROR login failure(udp sending to 55515 sourcetype=syslog)
Mon Apr 29 18:06:59 2013:Received From 127.0.0.1:40161:  <13>Apr 29 18:06:59 10.160.31.14  ERROR login failure(udp sending to 55515 sourcetype=syslog)
Mon Apr 29 18:08:07 2013:Received From 127.0.0.1:40161:  <13>Apr 29 18:08:07 10.160.31.14 ERROR login failure(udp sending to 55516 sourcetype=nonsyslog)
Mon Apr 29 18:08:59 2013:Received From 127.0.0.1:40161:  <13>Apr 29 18:08:49 10.160.31.14 Apr 29 18:08:49 10.160.31.14  ERROR login failure(udp sending to 55516 sourcetype=nonsyslog)
Mon Apr 29 18:11:52 2013:Received From 127.0.0.1:40161:  <13>Apr 29 18:09:23 beefysup01 Tue Apr 29 18:09:23 ERROR login failed: masa (sourcetype=mytest oneshot file)





###########################################################
#
# Test: How "syslogSourceType = nonsyslog" works
# => Haha, it does not work as the spec file says.... filing a bug.
# ==> This bug will be fixed in 5.0.4 (Until then, this attribute does not work.)
# 
# => Output: syslogSourcetype = nonsyslog
# Default: For sourcetypes "syslog" event, Splunk will  not add sender hostname even if a host name does not exist
#
###########################################################

- inputs.conf 
[udp://55515]
sourcetype = syslog
connection_host = ip
index = custom_orig


[udp://55516]
sourcetype = nonsyslog
connection_host = ip
index = custom_orig

- props.conf
[mytest]
TRANSFORMS-fwd2syslogout = syslogout
[source::udp:55515]
TRANSFORMS-fwd2syslogout = syslogout

[source::udp:55516]
TRANSFORMS-fwd2syslogout = syslogout

- transforms.conf
[syslogout]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = udpserver

- outputs.conf
[syslog:udpserver]
server = 127.0.0.1:55554
# Is this working???? A bug?
syslogSourceType = nonsyslog


### Events ###

# sourcetype=nonsyslog => No translation of <13>, SYSLOG_ROUTING adding
[root@centos62-64sup01 ~]# echo "ERROR login failure(udp sending to 55515 sourcetype=syslog)" | nc -w 1 -u 10.1.12.1 55515
[root@centos62-64sup01 ~]# echo "<13> ERROR login failure(udp sending to 55515 sourcetype=syslog)" | nc -w 1 -u 10.1.12.1 55515
[root@centos62-64sup01 ~]# echo "ERROR login failure(udp sending to 55516 sourcetype=nonsyslog)" | nc -w 1 -u 10.1.12.1 55516
[root@centos62-64sup01 ~]# echo "<13> ERROR login failure(udp sending to 55516 sourcetype=nonsyslog)" | nc -w 1 -u 10.1.12.1 55516
[root@centos62-64sup01 ~]# ssh 10.1.12.1
Last login: Tue Apr  2 14:20:54 2013 from centos62-64sup01.splunk.com
[root@beefysup01 splunk501]# cat ./mytest.log
Tue Apr  2 14:27:23 ERROR login failed: masa (sourcetype=mytest oneshot file)
[root@beefysup01 splunk501]# ./bin/splunk add oneshot ./mytest.log -sourcetype mytest -index custom_orig -auth admin:changeme1
Oneshot '/home/masa/splunk501/mytest.log' added


### @Splunk ###

Preview of: index=custom* | eval T=_time | convert ctime(T) | eval IT=_indextime | eval R=_raw | sort IT | table T sourcetype host R

         T          sourcetype     host                                              R
------------------- ---------- ------------ ------------------------------------------------------------------------------------
04/02/2013 14:25:26 syslog     10.160.31.14 ERROR login failure(udp sending to 55515 sourcetype=syslog)
04/02/2013 14:25:40 syslog     10.160.31.14 Apr  2 14:25:40 10.160.31.14  ERROR login failure(udp sending to 55515 sourcetype=sy
04/02/2013 14:26:06 nonsyslog  10.160.31.14 ERROR login failure(udp sending to 55516 sourcetype=nonsyslog)
04/02/2013 14:26:17 nonsyslog  10.160.31.14 Apr  2 14:26:17 10.160.31.14  ERROR login failure(udp sending to 55516 sourcetype=no
04/02/2013 14:27:23 mytest     beefysup01   Tue Apr  2 14:27:23 ERROR login failed: masa (sourcetype=mytest oneshot file)



### @udp server events forwarded from Splunk ###
[root@beefysup01 ~]# ./bin/udp_server.pl

Tue Apr  2 14:25:26 2013:Received From 127.0.0.1:45579:  <13>ERROR login failure(udp sending to 55515 sourcetype=syslog)
Tue Apr  2 14:25:40 2013:Received From 127.0.0.1:45579:  <13>Apr  2 14:25:40 10.160.31.14  ERROR login failure(udp sending to 55515 sourcetype=syslog)
Tue Apr  2 14:26:06 2013:Received From 127.0.0.1:45579:  <13> 10.160.31.14 ERROR login failure(udp sending to 55516 sourcetype=nonsyslog)
Tue Apr  2 14:26:27 2013:Received From 127.0.0.1:45579:  <13> 10.160.31.14 Apr  2 14:26:17 10.160.31.14  ERROR login failure(udp sending to 55516 sourcetype=nonsyslog)
Tue Apr  2 14:28:02 2013:Received From 127.0.0.1:45579:  <13> beefysup01 Tue Apr  2 14:27:23 ERROR login failed: masa (sourcetype=mytest oneshot file)




#
# True?
# Universal Forwarder cannot do _SYSLOG_ROUTING
# => Proably some modules are missing to do this routing job in UF
#

- inputs.conf
[udp://55515]
connection_host = ip
index = custom_orig
sourcetype = syslog
#no_appending_timestamp = true
_SYSLOG_ROUTING = udpserver


- outputs.conf
[syslog:udpserver]
server = 127.0.0.1:55554



#########################
#
# -ouptuts.conf.spec (v5.0.1)
#    timestampformat
#
#########################


timestampformat = <format>
* If specified, the formatted timestamps are added to the start of events forwarded to syslog.
* As above, this logic is only applied when the data is not syslog, or the syslogSourceType.
* The format is a strftime-style timestamp formatting string. This is the same implementation used in 
  the 'eval' search command, splunk logging, and other places in splunkd.
    *  For example: %b %e %H:%M:%S
    * %b - Abbreviated month name (Jan, Feb, ...)
    * %e - Day of month
    * %H - Hour
    * %M - Minute
    * %s - Second
* For a more exhaustive list of the formatting specifiers, refer to the online documentation.
* Note that the string is not quoted.
* Defaults to unset, which means that no timestamp will be inserted into the front of events.



#########################
#
# -ouptuts.conf.spec (v5.0.1)
#    syslogSourceType
#  !!!! WARNING: Value for this attribute  does not take regex. It takes only "string" !!!
#########################


syslogSourceType = <string>
* Specifies an additional rule for handling data, in addition to that provided by
  the 'syslog' source type.
* This string is used as a substring match against the sourcetype key.  For
  example, if the string is set to 'syslog', then all source types containing the
  string 'syslog' will receive this special treatment.
* To match a source type explicitly, use the pattern "sourcetype::sourcetype_name".
    * Example: syslogSourcetype = sourcetype::apache_common
* Data which is 'syslog' or matches this setting is assumed to already be in 
  syslog format. 
* Data which does not match the rules has a header, potentially a timestamp,
  and a hostname added to the front of the event.  This is how Splunk causes
  arbitrary log data to match syslog expectations.
* Defaults to unset.


#########################
#
# -ouptuts.conf.spec (v5.0.1)
#  Syslog priority translation 
# 
#########################

priority = <priority_value>
* The priority_value should specified as "<integer>" (an integer surrounded by angle brackets). For 
  example, specify  a priority of 34 like this: <34>
* The integer must be one to three digits in length.
* The value you enter will appear in the syslog header.
* Mimics the number passed via syslog interface call, documented via man syslog.
* The integer can be computed as (<facility> * 8) + <severity>. For example, if <facility> is 4 
  (security/authorization messages) and <severity> is 2 (critical conditions), the priority 
  will be 34 = (4 * 8) + 2. Set the attribute to: <34>
* The table of facility and severity (and their values) can be referenced in RFC3164, eg 
  http://www.ietf.org/rfc/rfc3164.txt section 4.1.1
* Defaults to <13>, or a facility of "user" or typically unspecified application,
  and severity of "Notice".
* The table is reproduced briefly here, some of these are archaic.
  Facility:
     0 kernel messages
     1 user-level messages
     2 mail system
     3 system daemons
     4 security/authorization messages
     5 messages generated internally by syslogd
     6 line printer subsystem
     7 network news subsystem
     8 UUCP subsystem
     9 clock daemon
    10 security/authorization messages
    11 FTP daemon
    12 NTP subsystem
    13 log audit
    14 log alert
    15 clock daemon
    16 local use 0  (local0)
    17 local use 1  (local1)
    18 local use 2  (local2)
    19 local use 3  (local3)
    20 local use 4  (local4)
    21 local use 5  (local5)
    22 local use 6  (local6)
    23 local use 7  (local7)
  Severity:
    0  Emergency: system is unusable
    1  Alert: action must be taken immediately
    2  Critical: critical conditions
    3  Error: error conditions
    4  Warning: warning conditions
    5  Notice: normal but significant condition
    6  Informational: informational messages

Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk