topic Re: Breaking up syslog sourcetype in Splunk Dev

Breaking up syslog sourcetype

dramage — Fri, 05 Jan 2018 21:35:26 GMT

Good afternoon,
I am working on trying to divide my network devices up so that I have different sourcetypes for each vendor, and then ultimately ship them off to different indexes as well. These devices all things like routers and switches, so I need to use their builtin syslog services. Unfortunately, I'm not understanding the documentation properly and it is not working.

I'm focusing on Nokia gear for the time being, here is a sanitized example log entry from a Nokia device:

Jan  5 13:27:51 123.123.123.123 TMNX: 803766 Base BGP-WARNING-bgpBackwardTransition-2002 [Peer 1: 123.123.123.123]:  VR 1: Group mpBGP-IPv4: Peer 123.123.123.123: moved from higher state OPENSENT to lower state IDLE due to event TCP SOCKET ERROR

Here's the stanza from my transforms.conf:

[nokia]
REGEX = TMNX
FORMAT = sourcetype::nokia
DEST_KEY = MetaData:Sourcetype

And here's from props.conf:

[source::udp:514]
TRANSFORMS-nokia = nokia

I am getting data in, but it's all just showing up under the sourcetype of syslog. Thanks in advance for your help.

Re: Breaking up syslog sourcetype

somesoni2 — Fri, 05 Jan 2018 22:31:45 GMT

Are you sending data directly to Splunk via UDP port monitoring in Splunk OR using syslog-ng (or similar) tool to receive data and having Splunk monitor the written log files? Based on configuration you've put it, I'm guessing it's the former, so where does these conf file setting exist (which Splunk server), Heavy Forwarder/Universal Forwarder or Indexer? Did you restart Splunk after adding those configuration entry.

Re: Breaking up syslog sourcetype

dramage — Fri, 05 Jan 2018 22:47:42 GMT

You are correct, we are simply sending data directly to Splunk over UDP.
We don't yet have enough traffic to need multiple Splunk servers, so everything is running on one system.

Re: Breaking up syslog sourcetype

mayurr98 — Sat, 06 Jan 2018 05:13:39 GMT

I do not see any flaws in your configuration.had you perform splunkd restart after editing the configuration?

Re: Breaking up syslog sourcetype

risgupta — Sun, 07 Jan 2018 08:22:13 GMT

Could you please check your inputs.conf, where you have mentioned your TCP/UDP method to collect data. Make sure you have defined
sourcetype = nokia
for your monitored data.

Re: Breaking up syslog sourcetype

alemarzu — Mon, 08 Jan 2018 14:11:33 GMT

Hi there @dramage

Please, try like this.

props.conf

[syslog]
TRANSFORMS-syslog_to_nokia_sourcetype = renaming_to_nokia

transforms.conf

[renaming_to_nokia]
REGEX = TMNX
FORMAT = sourcetype::nokia
DEST_KEY = MetaData:Sourcetype

Hope it helps.