https://community.splunk.com/t5/Getting-Data-In/Cisco-Switch-Data/m-p/579506#M102300 <P>Sending syslog directly to Splunk is discouraged.&nbsp; Best Practice is to have the syslog server write the data to disk files and have Splunk monitor those files.&nbsp; Another option is to use the Splunk Connect for Syslog (SC4S) app.</P> Wed, 29 Dec 2021 17:53:45 GMT richgalloway 2021-12-29T17:53:45Z https://community.splunk.com/t5/Getting-Data-In/Cisco-Switch-Data/m-p/579464#M102295 <P>Hello,</P><P>We have multiple Cisco Switches that are configured to send logs to Splunk.&nbsp; When comparing the logs on the switch and the logs in Splunk, they do not match up.&nbsp; Splunk does not seem to catch all of the logs, and seems to miss entries in large chunks, and it does not seem to be any single type of entry.&nbsp; &nbsp;I've searched by the IP of the switch and the information in the log thinking that it might have been mislabeled, but it is not in Splunk at all.</P><P>We have our switches set up to log at an informational level.&nbsp; This is happening across most switches in our environments - not all logs are entering Splunk.&nbsp; &nbsp;Is this is a known issue?</P><P><BR />Thanks!</P> Wed, 29 Dec 2021 13:18:53 GMT https://community.splunk.com/t5/Getting-Data-In/Cisco-Switch-Data/m-p/579464#M102295 mcrist3 2021-12-29T13:18:53Z https://community.splunk.com/t5/Getting-Data-In/Cisco-Switch-Data/m-p/579488#M102298 <P>How does the data get from the switches to Splunk?&nbsp; Are they sent via syslog?&nbsp; Do the events go directly to Splunk or to a syslog server?&nbsp; Are the sent using TCP or UDP?&nbsp; Some configurations are more likely to lead to data loss than others.</P><P>Another possibility is the data is getting to Splunk, but is onboarded poorly so events cannot be located.</P> Wed, 29 Dec 2021 15:14:53 GMT https://community.splunk.com/t5/Getting-Data-In/Cisco-Switch-Data/m-p/579488#M102298 richgalloway 2021-12-29T15:14:53Z https://community.splunk.com/t5/Getting-Data-In/Cisco-Switch-Data/m-p/579495#M102299 <P>We have the switches configured to send via Kiwi syslog - the syslog server is also installed on the Splunk server.&nbsp; We have the Data Inputs in Splunk listening on 514 TCP and UDP, with a source type of syslog.&nbsp; TCP is also listening on 601 with a source type of cisco_syslog.</P><P>&nbsp;</P><P>The switch shows (show logging command):</P><P>Syslog logging: enabled</P><P>Trap Logging Informational, 245 message lines logged</P><P>Logging to &lt;Splunk/KiwiIP&gt; (udp port 514, audit disabled, link up)</P><P>...</P><P>Logging to &lt;Splunk/KiwiIP&gt; (tcp port 601, audit disabled, link up)</P><P>...</P><P>&nbsp;</P> Wed, 29 Dec 2021 15:42:56 GMT https://community.splunk.com/t5/Getting-Data-In/Cisco-Switch-Data/m-p/579495#M102299 mcrist3 2021-12-29T15:42:56Z https://community.splunk.com/t5/Getting-Data-In/Cisco-Switch-Data/m-p/579506#M102300 <P>Sending syslog directly to Splunk is discouraged.&nbsp; Best Practice is to have the syslog server write the data to disk files and have Splunk monitor those files.&nbsp; Another option is to use the Splunk Connect for Syslog (SC4S) app.</P> Wed, 29 Dec 2021 17:53:45 GMT https://community.splunk.com/t5/Getting-Data-In/Cisco-Switch-Data/m-p/579506#M102300 richgalloway 2021-12-29T17:53:45Z https://community.splunk.com/t5/Getting-Data-In/Cisco-Switch-Data/m-p/579507#M102301 <P>Thank you,&nbsp; I will take a look at our set up and see if we can get this updated.</P> Wed, 29 Dec 2021 17:59:10 GMT https://community.splunk.com/t5/Getting-Data-In/Cisco-Switch-Data/m-p/579507#M102301 mcrist3 2021-12-29T17:59:10Z