Differences in syslog logging between SumoLogic and Splunk
Here is SumoLogic output:
<182>Sep 19 12:28:37 host01 apache: 38.88.188.18 - - [19/Sep/2013:12:28:37 -0500] "GET /wp-content/themes/esplanade/images/controls.png HTTP/1.1" 200 1904 " https://www.geekandi.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9) AppleWebKit/537.71 (KHTML, like Gecko) Version/7.0 Safari/537.71"
And Splunk:
Sep 19 12:28:37 host01.geekandi.com Sep 19 12:28:37 host01 apache: 38.88.188.18 - - [19/Sep/2013:12:28:37 -0500] "GET /wp-content/themes/esplanade/images/controls.png HTTP/1.1" 200 1904 " https://www.geekandi.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9) AppleWebKit/537.71 (KHTML, like Gecko) Version/7.0 Safari/537.71"
Notice the <182> item.
Why is that not being absorbed?
-
Hi Mike,
This has already been answered by Kevin in our ticketing system - here's the answer again for the benefit of our community:
Sumo Logic does not manipulate the content of your incoming data, unless you specifically choose to do so using masking or other filters. The <182> at the beginning of your message is the Syslog priority for the message and is part of the message delivered to the Sumo Logic Collector. If you do not want to see this value in any of your messages you will need to create a mask filter on your sources to convert this value to another. The following regular expression can be used as part of a masking filter configuration.
(^<\d{3}>)
The filter requires at least 1 character to replace the found text, so in your case you may choose to replace this with a simple "-" or "."
For more help on setting up a masking filters you can reference the following documentation.
https://service.sumologic.com/ui/help/Default.htm#Mask_Filters.htm
Thanks, -Keith
Please sign in to leave a comment.
Comments
1 comment