topic Re: Why is my host_segment monitor configuration not working properly? in Getting Data In

Why is my host_segment monitor configuration not working properly?

edwardrose — Fri, 19 Dec 2014 23:06:51 GMT

Ok I read the documentation about using host_segment but it does not seem to be working properly

Here is my stanza:

[monitor:///var/log/gns-dmz/network/]
host_segment = 5
sourcetype = cisco:iso
source = syslog
index = network

Under the /var/log/gns-dmz/network there are like 10 directories which are the host names of the cisco switches/routers which are sending their syslogs to this syslog-ng server. The stanza shows the host name as the name of the syslog-ng server and not the host_segment. What I am doing wrong?

thanks
ed

Re: Why is my host_segment monitor configuration not working properly?

mikaelbje — Fri, 19 Dec 2014 23:46:57 GMT

The host_segment looks correct, but the sourcetype in your monitor stanza says cisco:iso, not cisco:ios. You might want to correct that.

Re: Why is my host_segment monitor configuration not working properly?

edwardrose — Mon, 05 Jan 2015 17:25:10 GMT

I fixed the sourcetype, which did nothing for my issue about the host_segment not working.

[monitor:///var/log/gns-dmz/network/]
host_segment = 5
sourcetype = cisco:ios
source = syslog
index = network

I have 14 different sub-directories under /var/log/gns-dmz/network (all separate devices) and it still only shows up as ebs-syslog01 (name of syslog-ng server). Not sure why it isn't working.

Re: Why is my host_segment monitor configuration not working properly?

edwardrose — Mon, 05 Jan 2015 18:08:44 GMT

Actually have have two separate host_segment stanzas that are not working on this particular host

[monitor:///var/log/gns-dmz/bluecat/]
host_segment = 5
index = bluecat
sourcetype = dns_syslog
source = syslog

So not sure what I am doing wrong

Re: Why is my host_segment monitor configuration not working properly?

mikaelbje — Mon, 05 Jan 2015 18:19:58 GMT

You should post comments on my answer, not answers to your question. This is not a forum, but a way to ask a question and get answers 🙂

List the diretory contents of /var/log/gns-dmz/network and post them here.
1. Do you have another monitor stanza for /var/log/? This might be set up in i.e. the Splunk App for NIX . If this is the case it means you are monitoring the same files twice. Splunk will only index them once because it checks for duplicates before indexing.

Re: Why is my host_segment monitor configuration not working properly?

edwardrose — Mon, 28 Sep 2020 18:31:56 GMT

[root@ebs-syslog01 network]# ls -lart
total 64
drwxr-xr-x  2 root root 4096 Dec  3 11:24 mamwangw0
drwxr-xr-x  2 root root 4096 Dec  3 11:33 amywangw0
drwxr-xr-x  2 root root 4096 Dec  3 11:33 wvwangw0a-loopback0
drwxr-xr-x  2 root root 4096 Dec  3 11:34 139.181.40.21
drwxr-xr-x  2 root root 4096 Dec  3 11:34 ieswangw0b
drwxr-xr-x  2 root root 4096 Dec  3 11:34 194.196.65.17
drwxr-xr-x  2 root root 4096 Dec  3 11:34 rumwangw0
drwxr-xr-x  2 root root 4096 Dec  3 11:34 tokwangw0
drwxr-xr-x  2 root root 4096 Dec  3 11:34 ieswangw0a
drwxr-xr-x  2 root root 4096 Dec  3 11:34 hsvwangw0-uloop
drwxr-xr-x  2 root root 4096 Dec  3 11:35 wvwangw0b-loopback0
drwxr-xr-x  2 root root 4096 Dec  3 11:35 wana-53-230-12-196
drwxr-xr-x  2 root root 4096 Dec  3 11:35 hsiwangw0
drwxr-xr-x  2 root root 4096 Dec  3 11:35 tw212-static81
drwxr-xr-x  4 root root 4096 Dec 19 14:28 ..
drwxr-xr-x 16 root root 4096 Dec 19 14:29 .
[root@ebs-syslog01 network]#

Yes I have Splunk_TA_Nix installed on this server as well.

Re: Why is my host_segment monitor configuration not working properly?

edwardrose — Mon, 28 Sep 2020 18:31:58 GMT

I am assuming since Splunk_TA_Nix is installed and monitoring the following

[monitor:///var/log]
whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out)
blacklist=(lastlog|anaconda\.syslog)
disabled = 1

That I am not getting the host_segment to work as you have stated. I will have to change the directory to one that is not being monitored or disable the Splunk_TA_Nix one, correct?

Re: Why is my host_segment monitor configuration not working properly?

mikaelbje — Mon, 05 Jan 2015 18:32:25 GMT

Hmm, I see it's disabled so it shouldn't really matter. Try monitoring another directory outside of /var/log

The host_segment you have looks OK though. Tried a different Splunk version in case it's a bug?

Re: Why is my host_segment monitor configuration not working properly?

edwardrose — Mon, 05 Jan 2015 19:40:38 GMT

I tried to use /var/testing/devices and then copied the 14 or so directories over and it seems to be working properly now. Not sure why it isn't working in /var/log/gns-dmz

-thanks
ed

Re: Why is my host_segment monitor configuration not working properly?

mikaelbje — Mon, 05 Jan 2015 20:59:52 GMT

Great to hear that you got it working. It would be good if you could mark my answer as accepted 🙂

Re: Why is my host_segment monitor configuration not working properly?

ssmoot_splunk — Wed, 07 Jan 2015 15:58:09 GMT

The reason why this is not working for you is that host_segment uses the source metadata to extract the segment from. Since you are overriding the source by defining source = syslog, the default host will be used.
Try removing the source definition and you should be good to go.

Re: Why is my host_segment monitor configuration not working properly?

edwardrose — Wed, 07 Jan 2015 15:59:38 GMT

Yeah I found that out yesterday. I removed the source line and everything started working as it should.

thanks
ed