topic Re: Does anyone have Cisco UCS field extractions and/or dashboards? in Getting Data In

Does anyone have Cisco UCS field extractions and/or dashboards?

Glenn — Fri, 04 Nov 2011 12:36:44 GMT

We have new Cisco UCS kit and would like to process its syslogs in Splunk. Has anyone already established a set of field extractions or dashboards that they would like to share? Are there any plans for Splunk to provide any within the product? I think this is likely to be a hardware options that will grow significantly in popularity over time.

Example (scrubbed) logs:

Oct 26 16:33:02 pgce0-su-0j-b.tia.sn.local : 1001 Oct 26 16:33:02 LON: %OTIS-6-EVENT: [G2140204][054002][transition][internal][] [REX:STAGE:STALE-SUCCESS]: MARY profile configuration on peer fabric(REX-STAGE:rea:bev:OrrgYfpxhgnFowZerley:Peer) Oct 26 16:32:52 pgce0-su-1w-a.tia.sn.local : 1001 Oct 26 15:32:52 VAN: %OTIS-3-PORT_FAILED: [D0047][cleared][port-failed][sys/switch-B/slot-1/switch-ether/port-3] ether port 3 on fabric interconnect B gwyn state: link-up, reason: Link failure or not-connected Oct 26 16:32:52 pgce0-su-1w-a.tia.sn.local : 1001 Oct 26 15:32:52 VAN: %OTIS-3-PORT_FAILED: [D0047][cleared][port-failed][sys/switch-B/slot-1/switch-ether/port-1] ether port 1 on fabric interconnect B gwyn state: link-up, reason: Link failure or not-connected Oct 26 16:32:51 tpr0-su-0j-b.tia.sn.local : 1001 Oct 26 16:32:51 LON: %USER-6-SYSTEM_EVE: checking user:svc_rhonda,!!!!!!!!!!!,03030.000000,01263.000000 - jefferson Oct 26 16:32:51 tpr0-su-0j-b.tia.sn.local : 1001 Oct 26 16:32:51 LON: %USER-6-SYSTEM_EVE: checking user:max-dorinda,$1$K1jNUXPu$1bpsCt0/xDbsWSwrfHXi//,-1.000000,01263.000000 - jefferson Oct 26 16:32:51 tpr0-su-0j-b.tia.sn.local : 1001 Oct 26 16:32:51 LON: %USER-6-SYSTEM_EVE: checking user:admin,$1$lnRiXnQe$VQ0qXvmM0CfaJBU36ZLMk/,-1.000000,01263.000000 - jefferson Oct 26 16:32:51 tpr0-su-0j-b.tia.sn.local : 1001 Oct 26 16:32:51 LON: %USER-6-SYSTEM_EVE: checking user:ronnie,!,-1.000000,01263.000000 - jefferson Oct 26 16:32:51 pgce0-su-0j-b.tia.sn.local : 1001 Oct 26 16:32:51 LON: %OTIS-3-OPERATIONAL_STATE_DOWN: [Y0231][major][operational-state-down][fabric/hal/A/tp-100] hal port-channel 100 on fabric interconnect A gwyn state: failed, reason: No operational members Oct 26 16:32:46 pgce0-su-1w-a.tia.sn.local : 1001 Oct 26 15:32:46 VAN: %OTIS-3-MEMBERSHIP_DOWN: [T0025][cleared][membership-down][fabric/hal/A/tp-101/ai-slot-1-port-3] hal Member 1/3 of Port-Channel 101 on fabric interconnect A is down, membership: down Oct 26 16:32:46 pgce0-su-1w-a.tia.sn.local : 1001 Oct 26 15:32:46 VAN: %OTIS-3-MEMBERSHIP_DOWN: [T0025][cleared][membership-down][fabric/hal/A/tp-101/ai-slot-1-port-1] hal Member 1/1 of Port-Channel 101 on fabric interconnect A is down, membership: down Oct 26 16:32:30 pgce0-su-1w-a.tia.sn.local : 1001 Oct 26 15:32:30 VAN: %OTIS-3-LINK_DOWN: [Y0035][major][link-down][sys/switch-B/slot-1/switch-ether/port-3] ether port 3 on fabric interconnect B gwyn state: link-down, reason: Link failure or not-connected Oct 26 16:32:30 pgce0-su-1w-a.tia.sn.local : 1001 Oct 26 15:32:30 VAN: %OTIS-3-PORT_FAILED: [D0047][major][port-failed][sys/switch-B/slot-1/switch-ether/port-3] ether port 3 on fabric interconnect B gwyn state: link-up, reason: Link failure or not-connected

Re: Does anyone have Cisco UCS field extractions and/or dashboards?

assaphmehr — Tue, 21 Feb 2012 00:16:07 GMT

Hi,

Did anyone solve this? I am also trying now to analyse Cisco UCS syslog files, and any pointers would be most welcome 🙂

Cheers, Assaph

Re: Does anyone have Cisco UCS field extractions and/or dashboards?

Glenn — Tue, 21 Feb 2012 00:20:48 GMT

No. It looks like a do-it-ourselves job. I haven't done it myself yet due to other priorities.

Re: Does anyone have Cisco UCS field extractions and/or dashboards?

assaphmehr — Wed, 22 Feb 2012 04:41:34 GMT

Here is some basic field extraction.

### inputs.conf

[monitor:///var/log/rsyslog-ucs]
followTail = 0
# Note that we set the host name in the log file name.
# You could alternatively extract it inside the log on each line.
host_regex = \/([\w\d\-]+?)[_\.].*\.log
index = rsyslog
sourcetype = UCS_Syslog


### props.conf

[UCS_Syslog]
SHOULD_LINEMERGE = false
MAX_EVENTS = 1
REPORT-UCS_Component = UCS_Component
REPORT-UCS_Severity = UCS_Severity
REPORT-UCS_Fault_Code = UCS_Fault_Code
REPORT-UCS_Process_PID = UCS_Process_PID


### transforms.conf

[UCS_Component]
CLEAN_KEYS = 1
MV_ADD = 0
REGEX = (?i)^(?:[^ ]* ){10}([^:]+)
FORMAT = UCS_Component::$1

[UCS_Severity]
CLEAN_KEYS = 1
MV_ADD = 0
REGEX = \[(Cleared|Condition|Critical|Info|Major|Minor|Warning)\]
FORMAT = UCS_Severity::$1

[UCS_Fault_Code]
CLEAN_KEYS = 1
MV_ADD = 0
REGEX = .*\[(F\d+)\]
FORMAT = UCS_Fault_Code::$1

[UCS_Process_PID]
CLEAN_KEYS = 1
MV_ADD = 0
REGEX = .* (\w+)\[(\d+)\]
FORMAT = UCS_Process::$1 UCS_PID::$2

Re: Does anyone have Cisco UCS field extractions and/or dashboards?

Glenn — Wed, 22 Feb 2012 14:06:41 GMT

This looks good...

Re: Does anyone have Cisco UCS field extractions and/or dashboards?

halr9000 — Sat, 28 Jul 2012 00:18:16 GMT

Just posted: http://splunk-base.splunk.com/apps/54084/splunk-app-for-cisco-ucs

Sorry it took so long. 😉

Do check it out and let us know what you think. The app is in preview now, plenty of tome to make changes and add features. It will hit beta at our .cont event.

Re: Does anyone have Cisco UCS field extractions and/or dashboards?

Glenn — Tue, 31 Jul 2012 10:25:59 GMT

Great, thanks a lot. I am getting one of our guys to evaluate this now and we'll get back to you with any feedback. EDIT - just noticed something... it looks like it requires Windows? We barely run Windows here, do you have an ETA on the python port?

Re: Does anyone have Cisco UCS field extractions and/or dashboards?

halr9000 — Tue, 31 Jul 2012 13:16:02 GMT

I'm afraid I don't have a date yet. Contacting you off-site.

Re: Does anyone have Cisco UCS field extractions and/or dashboards?

halr9000 — Tue, 31 Jul 2012 13:17:17 GMT

Glenn, don't forget to "accept" an an answer, it really helps out the community to mark things appropriately.

Re: Does anyone have Cisco UCS field extractions and/or dashboards?

halr9000 — Tue, 09 Jul 2013 18:49:48 GMT

We just published v1.0 of the Cisco UCS app. Note that it does not do much with the syslog events, but instead works mostly with data from the UCS XML API. There is definitely value in the syslog stuff that comes out of UCS; in particular the event logs named "event" and "audit" in the UCS Manager. I have a few extractions and saved searches in the app for this data, but you could do a lot more.

http://splunk-base.splunk.com/apps/Splunk+App+for+Cisco+UCS

Re: Does anyone have Cisco UCS field extractions and/or dashboards?

friea — Sun, 07 Jun 2015 20:14:39 GMT

Glenn, I think we've exchanged notes about the app in the past. Hope your deployment is going well!

Quick heads up that Spunk has released a new and fully supported Add-on for Cisco UCS which which available at https://splunkbase.splunk.com/app/2731/.

Cisco's Bill Williams posted a nice write-up on the new integration at http://blogs.cisco.com/datacenter/splunk-integration-for-ucs.

(I know ... doesn't address your question in the least. But thought it would be useful for you & other folks looking at this post to know that a more current integration is available.)