https://community.splunk.com/t5/Getting-Data-In/filtering-cisco-devices-with-syslog-ng-conf-to-avoid-catchall/m-p/579068#M102238 <P>The original configuration was completed by Splunk support with syslog-ng a little over a year ago.&nbsp; I hadn't thought about using a different port for cisco devices but maybe that is something we could try.&nbsp; I changed things up on the syslog-ng.conf file and then everything was routing into the ciscoios folder, including palo alto data which I didn't want to happen so I changed things back to the partially working conf file.&nbsp; &nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;</P> Wed, 22 Dec 2021 00:42:47 GMT agw 2021-12-22T00:42:47Z https://community.splunk.com/t5/Getting-Data-In/filtering-cisco-devices-with-syslog-ng-conf-to-avoid-catchall/m-p/578648#M102163 <P>Hello-&nbsp;</P><P>I'm trying to filter cisco logs so that all data shows up in it's own folder in syslog-ng.&nbsp; However only some of the data is showing up and most of it is going to the catchall directory.&nbsp;&nbsp;</P><P>Cisco log messages start out with a %.&nbsp; When adding the asterisk to the filter it seems to ignore it.&nbsp; Here is a piece of the filter I use in the syslog-ng.conf:</P><P>filter f_cisco_ios { message("%AUTHMGR") or message("%DOT1X") or message("%MAB") or message("%LINK") or message("%LINE") or message("%DUAL") or message("%ISDN") or message("%EPM") or message("%OSPF") or message("%AUTHPRIV") or message("%LINEPROTO*") or message("%LINK*") };</P><P>I'm trying to get any messages with %LINK* to filter to the ciscoios folder but it keeps sending to the catchall directory.&nbsp; It seems like the syntax I am using is incorrect or maybe there is a better way to filter this without using "message" with filter.&nbsp;</P><P>&nbsp;</P> Thu, 16 Dec 2021 15:51:47 GMT https://community.splunk.com/t5/Getting-Data-In/filtering-cisco-devices-with-syslog-ng-conf-to-avoid-catchall/m-p/578648#M102163 agw 2021-12-16T15:51:47Z https://community.splunk.com/t5/Getting-Data-In/filtering-cisco-devices-with-syslog-ng-conf-to-avoid-catchall/m-p/579026#M102225 <P>We use rsyslog, not syslog-ng. But we have it set up with multiple ports.</P><P>Our catchall is port 514 but we have multiple directories set up. We also have a directory for cisco-ios, cisco-asa and some other technologies. All ciscio-ios devices send its data on port 10520, all cisco-asa devices send it's data on port 10521, etc.&nbsp;</P><P>Depending on which port a system sends it's logs to the syslog server will dictate which folder it goes to.</P><P>That might be an easier way to set up your syslog server.&nbsp;</P> Tue, 21 Dec 2021 14:47:33 GMT https://community.splunk.com/t5/Getting-Data-In/filtering-cisco-devices-with-syslog-ng-conf-to-avoid-catchall/m-p/579026#M102225 Stefanie 2021-12-21T14:47:33Z https://community.splunk.com/t5/Getting-Data-In/filtering-cisco-devices-with-syslog-ng-conf-to-avoid-catchall/m-p/579068#M102238 <P>The original configuration was completed by Splunk support with syslog-ng a little over a year ago.&nbsp; I hadn't thought about using a different port for cisco devices but maybe that is something we could try.&nbsp; I changed things up on the syslog-ng.conf file and then everything was routing into the ciscoios folder, including palo alto data which I didn't want to happen so I changed things back to the partially working conf file.&nbsp; &nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;</P> Wed, 22 Dec 2021 00:42:47 GMT https://community.splunk.com/t5/Getting-Data-In/filtering-cisco-devices-with-syslog-ng-conf-to-avoid-catchall/m-p/579068#M102238 agw 2021-12-22T00:42:47Z