topic Re: Syslog Configuration required for custom sourcetypes in Getting Data In

Syslog Configuration required for custom sourcetypes

msatish — Mon, 28 Apr 2025 11:32:08 GMT

I think Splunk doesn't have a built-in/defined sourcetype for ExtremeCloud XIQ logs. Can we define a custom sourcetype, like `extremecloud:xiq`, in the syslog server(splunk_metadata.csv)? If so, how do we make sure the logs coming from ExtremeCloud XIQ platform land in the "extreme" index and use the "extremecloud:xiq" sourcetype?

Re: Syslog Configuration required for custom sourcetypes

livehybrid — Mon, 28 Apr 2025 11:55:37 GMT

Hi @msatish

Just to confirm - are you using SC4S?

I am not familiar with ExtremeCloud XIQ and it isnt a "known product" to SC4S however we should still be able to update splunk_metadata.csv.

Do you know if the data is being sent in CEF format? If possible please could you provide a couple of lines of your events to help us work out the correct values for the splunk_metadata.csv file?

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: Syslog Configuration required for custom sourcetypes

VatsalJagani — Tue, 29 Apr 2025 06:05:01 GMT

@msatish- Yes you can always define your own sourcetype & your own custom index that you want any data to fall into.

But as @livehybrid is asking you can need to figure-out how you are collecting the data & which format of the logs so you can figure-out from which config file & where you can apply the new sourcetype & index. And you also need to put props.conf configuration (Parsing, Timestamp extraction, Field Extraction, etc.) for your custom sourcetype.

And make sure index is created on your indexers before you start pushing the data into your custom index.

I hope this helps!!!

Re: Syslog Configuration required for custom sourcetypes

dionrivera — Tue, 06 May 2025 21:38:05 GMT

The following link provides the common format for CEF log format, assuming that's your format.

https://splunk.github.io/splunk-connect-for-syslog/main/sources/base/cef/#splunk-metadata-with-cef-events

Re: Syslog Configuration required for custom sourcetypes

dionrivera — Tue, 06 May 2025 21:38:52 GMT

The following link provides the common format for CEF log format, assuming that's your format.

https://splunk.github.io/splunk-connect-for-syslog/main/sources/base/cef/#splunk-metadata-with-cef-e...

Re: Syslog Configuration required for custom sourcetypes

msatish — Fri, 30 May 2025 09:34:12 GMT

@livehybrid

Yes, logs needs to be forwarded to SC4S. ExtremeCloud IQ will be sending logs in the legacy SYSLOG format RFC3164. Can we use app parser configuration file on the syslog server where we plan to receive Extreme AP logs in the legacy SYSLOG format RFC3164. Will this help in normalizing the data received from Extreme AP when tweaked as per log sample .

Here is the resource I am referring to:

https://splunk.github.io/splunk-connect-for-syslog/main/sources/

Also, should we need an add on or app to be installed or just defining app_parser conf file in Syslog help ?

Re: Syslog Configuration required for custom sourcetypes

msatish — Tue, 17 Jun 2025 09:45:54 GMT

@VatsalJagani / @livehybrid https://apps.splunk.com/app/1780/.-Does this EXOS app still help in parsing? or is it outdated one? Is EXOS an Extreme old operating system?

Re: Syslog Configuration required for custom sourcetypes

VatsalJagani — Thu, 19 Jun 2025 05:14:02 GMT

@msatish - As mentioned by @dionrivera you can use SC4S CEF for parsing.

But if you want to parse the already ingested CEF formatted data in Splunk then you can use this App's custom search command to do that.

https://splunkbase.splunk.com/app/7701