If you have ever used Splunk to read messages that come in multiple formats you will know that it will normally only take the first format it comes across.

I use rsyslog for transporting my messages from system to system and Splunk does a great job of parsing the data, however, if you have JSON or XML embedded in one of these messages it struggles. Sure, you can SPATH or REX it out, add a transform or just create a search but these are cumbersome and take time, so I looked at ways of making it a native task.

The best way I could find of doing this was to user the filters in rsyslog to strip out any syslog attributes from incoming messages before storing them in the data file read by Splunk.

The process is simple, create a file called /etc/rsyslog.d/untangle.conf:

$Template untanglelog,"%msg:R,ERE,0,BLANK:(\{\".*)--end%\n"
if $msg contains 'uvm' then {
*.info;mail.none;authpriv.none;cron.none /var/log/untangle.log;untanglelog
} else {
*.info;mail.none;authpriv.none;cron.none /var/log/messages

Then restart rsyslog (in Fedora use):

systemctl restart rsyslog

Note: You do not need to change anything on the server or device sending the messages.

In Splunk just create an input as usual and it will be treated as the sending application had intended.


Tagged with:

2 Responses to JSON from Syslog using Splunk

  1. When I use your script from above in Rsyslog to parse my untangle logs I get a / before the CServerAddr, SClientAddr, fields. Example “CServerAddr”:”/″. Any way I can parse this extra / out through the template in untangle.conf. Let me know your thoughts when you have time. My email is cody.betsworth@gmail.com. Thanks for your help.

    • tabchalk says:

      Hello Cody,
      Apolgies for the delay in responding. I get the same / in front of the IP address too but I’ve not quite managed to get the regex right to make it remove them. If I do get it working I’ll let you know.

Leave a Reply

Your email address will not be published. Required fields are marked *