SC4S forward logs to Splunk without date and hostname.

[Adpafer]

Hello,

I have rsyslog configured on my linuxPC that sends logs to SC4S and then SC4S forwards these logs to a given index. Logs received by SC4S look like this example:

<30>Dec 20 08:35:26 linuxPC dbus-daemon[533]: [system] Successfully activated service 'net.reactivated.Fprint' but when SC4S forwards them to Splunk, Splunk receives them with no date, time and host name: dbus-daemon[533]: [system] Successfully activated service 'net.reactivated.Fprint' Is there any way Splunk can receive the same log ? thanks for help, regards, pawelF

[ikheifets-splunk]

Hello, @Adpafer !

In your message:

<30>Dec 20 08:35:26 linuxPC dbus-daemon[533]: [system] Successfully activated service 'net.reactivated.Fprint'

That part that you mentioned its a message header accroding to RFC:

<30>Dec 20 08:35:26 linuxPC (<PRI> DATETIME HOSTNAME). the next thing it's a message body - dbus-daemon[533]: [system] Successfully activated service 'net.reactivated.Fprint'

We parsing this header and saving this header to varibles (highlighted on screenshot) and you can make a search by this variables (example message on screenshot):

But original message you can find in our tests, it's also containing <PRI> DATETIME HOSTNAME

P.S. If you really want add this info to Splunk then you can use for you custom parser t_everything instead of t_msg_only.

P.P.S. It's not a bug it's seems that I need to close it. Please let me know, if something unclear

[ikheifets-splunk]

Detailed answer here. It seems that we don't need fix it. No reaction of the customer, closing.