All Apps and Add-ons

Cisco Networks Add-on for Splunk Enterprise: How to get reports to display my Cisco devices, not the hostname of my syslog server?

Communicator

I've just installed the Cisco Networks Add-on and Cisco Networks App in my Splunk environment, and am quite pleased with the dashboards.

I am running into a problem with how my Cisco devices/hostnames are getting reported. My "unique devices", as well as every report that uses this field, is showing my syslog hostname instead of my Cisco devices.

The dashboard is using dvc to render reports, but my actual device IP addresses (I wish I could have them resolve to IP addresses) are getting stuffed into reported_hostname. Incidentally, my syslog server is receiving syslog traffic, and sending all into one folder for all IOS devices.

My UF's inputs.conf:

[monitor:///my-syslog-data/ios.log]
source=syslog
sourcetype=cisco:ios
host =

In addition to the universal forwarder, which is my syslog server, I've installed the add-on on my Indexers and search heads as well, no changes made on them.

I've tried making changes to my indexers' props.conf and transforms.conf, however, I seem to be missing the right changes needed to make my dashboards report each device uniquely versus all of them as my syslog host.

Thanks in advance,

-mi

0 Karma
1 Solution

Motivator

Have a look at the thread below. The best solution would be to change your syslog server to log each device to its own directory and use host_segment=N in the inputs stanza

http://answers.splunk.com/answers/277657/can-the-cisco-network-app-for-splunk-enterprise-us-1.html#a...

Don't set your source! Only set the sourcetype to either cisco:ios or syslog . If you set it to syslog there's a transform called syslog-host which is going to be applied automatically that should take care of the host problem. dvc is just a field aliased to host.

If this doesn't work you need to check your syslog server settings. Some syslog servers append hostnames whenever a message is relayed and we don't want that.

Please accept or upvote helpful answers.

Mikael
Author of the Cisco Networks App

View solution in original post

Motivator

props.conf

[your_sourcetype]
TRANSFORMS-hosts = real_host

transforms.conf

[real_host]
DEST_KEY = MetaData:Host
REGEX = 
FORMAT = host::$1

fill the regex with the expression needed to retrieve the host from your logs. should be the same used to retrieve reported_hostname.

More info from docs:
http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Overridedefaulthostassignments

------------
Hope I was able to help you. If so, an upvote would be appreciated.
0 Karma

Contributor

As your forwarder is running on the syslog server, you could use the forwarder as your syslog server by defining an udp input as

[udp://514]
source=syslog
sourcetype=cisco:ios
connection_host = dns

Saves you some iops on the server and gives you the host in the event. In this case you have to logs of course only in splunk, and I can not say if the app will be able to deal with the events.

Communicator

My syslog server parses logs for other than Cisco devices, which is feeding various sourcetypes.

I like this idea though, thank you.

0 Karma

Motivator

Have a look at the thread below. The best solution would be to change your syslog server to log each device to its own directory and use host_segment=N in the inputs stanza

http://answers.splunk.com/answers/277657/can-the-cisco-network-app-for-splunk-enterprise-us-1.html#a...

Don't set your source! Only set the sourcetype to either cisco:ios or syslog . If you set it to syslog there's a transform called syslog-host which is going to be applied automatically that should take care of the host problem. dvc is just a field aliased to host.

If this doesn't work you need to check your syslog server settings. Some syslog servers append hostnames whenever a message is relayed and we don't want that.

Please accept or upvote helpful answers.

Mikael
Author of the Cisco Networks App

View solution in original post

Communicator

I changed sourcetype on my UF's inputs.conf from cisco:ios to syslog and now all my devices are showing up with their IP addresses; thank you.

0 Karma

Contributor

how look the entries in the ios.log file, do they contain the correct hostname?

0 Karma

Communicator

They contain IP address, patterns match those provided in the sample.log.

0 Karma