https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Ruckus-Wireless-Fields-not-Extracted/m-p/533342#M64451 <P>Hi. Where can I downloaded the add-on for Ruckus?</P> Wed, 16 Dec 2020 16:00:01 GMT neoslaughter 2020-12-16T16:00:01Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Ruckus-Wireless-Fields-not-Extracted/m-p/253555#M29132 <P>Hi, I've recently installed the add-on and can not get the field extraction working. I have edited the props/transforms to change the sourcetype of the incoming syslog data from my ruckus host to ruckus:log (see below), but beyond that I'm not sure what I have to do. </P> <P><STRONG>props.conf:</STRONG><BR /> [host::(xxx.xxx.xxx.xxx)]<BR /> TRANSFORMS-set_sourcetype = ruckus_log_sourcetype</P> <P><STRONG>transforms.conf</STRONG><BR /> [ruckus_log_sourcetype]<BR /> REGEX=(.*)<BR /> FORMAT = sourcetype::ruckus:log<BR /> DEST_KEY = MetaData:Sourcetype </P> Tue, 29 Sep 2020 09:08:41 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Ruckus-Wireless-Fields-not-Extracted/m-p/253555#M29132 asofo 2020-09-29T09:08:41Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Ruckus-Wireless-Fields-not-Extracted/m-p/253556#M29133 <P>It is easier to set the sourcetype to ruckus:log during the inputs.conf phase, due to how the sourcetype pipelines work in the TA. I would first try this approach to validate the logs are being transformed into the different sourcetypes that ship with the TA: <BR /> -ruckus:core:reconnect, ruckus:core:disconnect, etc.</P> <PRE><CODE>[monitor:///var/log/syslog-ng/ruckus_log/127.0.0.1/2016-03-16/messages.log] index = network sourcetype = ruckus:log host_segment = 5 </CODE></PRE> <P>alternatively:</P> <PRE><CODE>[udp://xxx.xxx.xxx.xxx:514] index = network sourcetype = ruckus:log connection_host = ip </CODE></PRE> Thu, 17 Mar 2016 14:45:45 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Ruckus-Wireless-Fields-not-Extracted/m-p/253556#M29133 atellez_splunk 2016-03-17T14:45:45Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Ruckus-Wireless-Fields-not-Extracted/m-p/253557#M29134 <P>Thanks for the reply. A have a few questions</P> <P>1) Which inputs file am I adjusting? C:\Program Files\Splunk\etc\system\local?<BR /> 2) I have 13 hosts does that mean I have to put in 13 stanzas or can I use a wildcard?</P> <P>I think I was under the impression that you install the TA and it takes care of the rest.</P> Thu, 17 Mar 2016 17:18:46 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Ruckus-Wireless-Fields-not-Extracted/m-p/253557#M29134 asofo 2016-03-17T17:18:46Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Ruckus-Wireless-Fields-not-Extracted/m-p/253558#M29135 <P>The TA does not monitor the log path or source of where the data is coming from. It only normalizes the data when you set the sourcetype to ruckus:log to those other sourcetypes specified in props.conf based on regex matches. If you use a custom port for syslog, you would not need to create 13 stanzas. You could do something like this in the Ruckus TA's local/ directory:</P> <P>inputs.conf<BR /> [udp://516]<BR /> index = network (or whatever index you wish to use)<BR /> sourcetype = ruckus:log<BR /> connection_host = ip</P> <P>It is actually better, to set up a syslog server and read the log files from disk using the universal forwarder, this way you don't lose any UDP data during a splunkd restart. </P> Thu, 17 Mar 2016 20:05:50 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Ruckus-Wireless-Fields-not-Extracted/m-p/253558#M29135 atellez_splunk 2016-03-17T20:05:50Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Ruckus-Wireless-Fields-not-Extracted/m-p/253559#M29136 <P>Thanks, I actually ended up going the props/transforms route but definitely going to move to having a syslog server collecting and forwarding to my indexer.</P> Tue, 22 Mar 2016 19:11:56 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Ruckus-Wireless-Fields-not-Extracted/m-p/253559#M29136 asofo 2016-03-22T19:11:56Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Ruckus-Wireless-Fields-not-Extracted/m-p/253560#M29137 <P>Im having an issue myself. But i dont know if its different in the new Ruckus controller version or output .</P> <P>2017-11-02T15:10:17-07:00 SCG01 Core: User[AA:FD:BB:28:91:AA] disconnects from WLAN[wifi] at AP[dW-con-007@AA:BB:C4:29:F1:10] with session data(Client Mac[CC:FD:CC:28:AA:2B],Client IP[],OS Type[],Host Name[],BSSID[1C:B9:C4:CC:F1:FF],User Name[DD:AA:17:FF:91:2B],VLAN[80],Encryption[None],Association Time[11 02 22:09:46 2017],Disconnect Reason[client Disconnect],Session Duration[30s],Bytes to User[0],Bytes from User [374],RSSI[10],SNR[-102],Client Radio[g/n],AP Location[],AP GPS[])</P> <P><STRONG>inputs.conf</STRONG><BR /> [monitor:///opt/syslog/ruckus/*.log]<BR /> index = ruckus<BR /> sourcetype = ruckus:log<BR /> host_segment = 4<BR /> disabled = false</P> <P><STRONG>props.conf</STRONG> <BR /> [ruckus:log]<BR /> category = Network<BR /> description = Output produced by the Ruckus Wireless Controller<BR /> pulldown_type = true<BR /> SHOULD_LINEMERGE = false<BR /> MAX_TIMESTAMP_LOOKAHEAD = 16<BR /> TRANSFORMS-sourcetype = ruckus_core,ruckus_core_disconnect,ruckus_core_reconnect, ruckus_core_join, ruckus_core_authorize, ruckus_sshd, ruckus_kernel</P> <P>[ruckus_core]<BR /> rename = ruckus:core</P> <P>[ruckus:core]<BR /> KV_MODE = None<BR /> BREAK_ONLY_BEFORE=\w{3}\s{1,2}\d{1,2}\s<BR /> SHOULD_LINEMERGE = false<BR /> TIME_PREFIX=^<BR /> TIME_FORMAT=%b %d %H:%M:%S</P> <P><STRONG>transforms.conf</STRONG> <BR /> [ruckus_core]<BR /> DEST_KEY = MetaData:Sourcetype<BR /> REGEX = ^\w{3}\s{1,2}\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?:[0-9]{1,3}.){3}[0-9]{1,3}\sCore:<BR /> FORMAT = sourcetype::ruckus:core</P> Tue, 29 Sep 2020 16:33:35 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Ruckus-Wireless-Fields-not-Extracted/m-p/253560#M29137 sudoritz 2020-09-29T16:33:35Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Ruckus-Wireless-Fields-not-Extracted/m-p/533342#M64451 <P>Hi. Where can I downloaded the add-on for Ruckus?</P> Wed, 16 Dec 2020 16:00:01 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Ruckus-Wireless-Fields-not-Extracted/m-p/533342#M64451 neoslaughter 2020-12-16T16:00:01Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Ruckus-Wireless-Fields-not-Extracted/m-p/557254#M65973 <P>Hi&nbsp;</P><P>thanks for sharing your experience . I didn't find TA for&nbsp;<SPAN>Ruckus Wireless</SPAN>&nbsp;in splunkbase . did you create custom TA or you download and modify it .&nbsp;</P> Sat, 26 Jun 2021 09:15:22 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Ruckus-Wireless-Fields-not-Extracted/m-p/557254#M65973 khalidewaidah 2021-06-26T09:15:22Z