topic Re: ise_servername Returning as Host of Syslog Server in All Apps and Add-ons

ise_servername Returning as Host of Syslog Server

cboillot — Mon, 28 Jul 2025 15:54:37 GMT

Currently we have our Cisco ISE devices being sent to a syslog server and then a forwarder is bringing that into Splunk. We are running into an issue where ise_servername is showing the device name, but the Syslog server name. What am I missing? How would I go about fixing this?

Re: ise_servername Returning as Host of Syslog Server

livehybrid — Mon, 28 Jul 2025 16:22:30 GMT

Hi @cboillot

Does the host value have the correct source name, or does this show the syslog server too?

Does the syslog server write the files to a folder structure that contains the source hostname that you need within it? e.g. /var/log/syslog/<deviceName/blah.log?

If so you would be able to use the host_segment value https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Inputsconf#:~:text=host_regex%27.%0A*%20No%20default.-,host_segment%20%3D%20%3Cinteger%3E,-*%20If%20set%20to to specify the host as the source of the log.

AFAIK, ise_servername ultimately comes from the 'host' field. If you cannot do the host_segment then another option is to use a REGEX props/transform to extract this from the raw event (assuming it is present there)? If the other option isnt possible and you'd like some further help wrtiting this then please provide a sample event.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: ise_servername Returning as Host of Syslog Server

cboillot — Mon, 28 Jul 2025 16:33:13 GMT

Thanks. The server name is not in the sourcepath, but it is in the log right after the date.

Jul 27 23:01:51.020755 SDNWISEP0077 0018346907 (...)

I tried to use extract field from the event view, but that didn't work

Re: ise_servername Returning as Host of Syslog Server

livehybrid — Mon, 28 Jul 2025 21:32:19 GMT

Hi @cboillot

In that case, you could use props/transforms like this on the first HF/Indexer that the data hits:

# props.conf [your_sourcetype] TRANSFORMS-host = ise_host_extraction # transforms.conf [ise_host_extraction] # https://regex101.com/r/7VrxpN/1 REGEX = ^\S+\s+\S+\s+\S+\s+(\S+) FORMAT = host::$1 DEST_KEY = MetaData:Host

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: ise_servername Returning as Host of Syslog Server

PrewinThomas — Tue, 29 Jul 2025 06:18:45 GMT

@cboillot

If you are using syslog-ng, it is preferable to use the host_segment option to extract the host value. This approach helps avoid potential future issues caused by changes in hostname naming conventions or logging patterns that might break regex-based extraction.

You can configure the destination stanza in your syslog configuration file to include the device IP address dynamically in the log file path. Additionally, you can use the host_segment setting to extract the host value for indexing in Splunk.

syslog-ng .conf file
Eg: for destination stanza //Macro might be different if you are using rsyslog or any other

destination d_device_logs { file("/var/log/syslog/$SOURCEIP/${YEAR}-${MONTH}-${DAY}.log"); };

And update inputs.conf with host_segment
eg:

[monitor:///var/log/syslog/...] host_segment = 4

But if you want to stick with regex extraction then use,

props.conf [cisco:ise:syslog] TRANSFORMS-set_host = ise_host_override transforms.conf [ise_host_override] REGEX = ^\w+\s+\d+\s+\d+:\d+:\d+\.\d+\s+(\S+) FORMAT = host::$1 DEST_KEY = MetaData:Host

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Re: ise_servername Returning as Host of Syslog Server

cboillot — Tue, 29 Jul 2025 18:53:55 GMT

I'm going to have to go down the Regex path as the Networking team doesn't want to change how their side is set up.

~~I want to double check, this would go on the indexer, correct?~~ I missed the "on the first HF/Indexer"