After an initial installation of the Universal Forwarder (6.4.0), I immediately changed the hostname values to use the FQDN:
./splunk set servername myserver.domain.com
./splunk set default-hostname myserver.domain.com
I then restart the Universal Forwarder service and confirm the changes in the following conf files:
/opt/splunkforwarder/etc/system/local/inputs.conf:
[default]
host = myserver.domain.com
/opt/splunkforwarder/etc/system/local/server.conf:
[general]
serverName = myserver.domain.com
...
However, unless I explicitly specify the FQDN hostname, when I add a new monitor (sourcetypes linux_secure and linux_messages_syslog), the events are indexed with the shortname.
The splunkd.log seems to suggest it is not honoring the default hostname I set for the inputs.conf (oddly, the servername in server.conf seems to stick):
...
04-18-2016 15:10:37.451 -0400 INFO ServerConfig - My server name is "myserver.domain.com".
04-18-2016 15:10:37.452 -0400 INFO ServerConfig - Found no site defined in server.conf
04-18-2016 15:10:37.452 -0400 INFO ServerConfig - My hostname is "myserver".
...
This behavior is reproducible on multiple hosts. Is there something else I'm missing? Any advice is appreciated. Thanks.
↧