All Apps and Add-ons

Cisco Networks Add-on for Splunk Enterprise: How to get reports to display my Cisco devices, not the hostname of my syslog server?

nychawk
Communicator

I've just installed the Cisco Networks Add-on and Cisco Networks App in my Splunk environment, and am quite pleased with the dashboards.

I am running into a problem with how my Cisco devices/hostnames are getting reported. My "unique devices", as well as every report that uses this field, is showing my syslog hostname instead of my Cisco devices.

The dashboard is using dvc to render reports, but my actual device IP addresses (I wish I could have them resolve to IP addresses) are getting stuffed into reported_hostname. Incidentally, my syslog server is receiving syslog traffic, and sending all into one folder for all IOS devices.

My UF's inputs.conf:

[monitor:///my-syslog-data/ios.log]
source=syslog
sourcetype=cisco:ios
host =

In addition to the universal forwarder, which is my syslog server, I've installed the add-on on my Indexers and search heads as well, no changes made on them.

I've tried making changes to my indexers' props.conf and transforms.conf, however, I seem to be missing the right changes needed to make my dashboards report each device uniquely versus all of them as my syslog host.

Thanks in advance,

-mi

0 Karma
1 Solution

mikaelbje
Motivator

Have a look at the thread below. The best solution would be to change your syslog server to log each device to its own directory and use host_segment=N in the inputs stanza

http://answers.splunk.com/answers/277657/can-the-cisco-network-app-for-splunk-enterprise-us-1.html#a...

Don't set your source! Only set the sourcetype to either cisco:ios or syslog . If you set it to syslog there's a transform called syslog-host which is going to be applied automatically that should take care of the host problem. dvc is just a field aliased to host.

If this doesn't work you need to check your syslog server settings. Some syslog servers append hostnames whenever a message is relayed and we don't want that.

Please accept or upvote helpful answers.

Mikael
Author of the Cisco Networks App

View solution in original post

diogofgm
SplunkTrust
SplunkTrust

props.conf

[your_sourcetype]
TRANSFORMS-hosts = real_host

transforms.conf

[real_host]
DEST_KEY = MetaData:Host
REGEX = 
FORMAT = host::$1

fill the regex with the expression needed to retrieve the host from your logs. should be the same used to retrieve reported_hostname.

More info from docs:
http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Overridedefaulthostassignments

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

FritzWittwer_ol
Contributor

As your forwarder is running on the syslog server, you could use the forwarder as your syslog server by defining an udp input as

[udp://514]
source=syslog
sourcetype=cisco:ios
connection_host = dns

Saves you some iops on the server and gives you the host in the event. In this case you have to logs of course only in splunk, and I can not say if the app will be able to deal with the events.

nychawk
Communicator

My syslog server parses logs for other than Cisco devices, which is feeding various sourcetypes.

I like this idea though, thank you.

0 Karma

mikaelbje
Motivator

Have a look at the thread below. The best solution would be to change your syslog server to log each device to its own directory and use host_segment=N in the inputs stanza

http://answers.splunk.com/answers/277657/can-the-cisco-network-app-for-splunk-enterprise-us-1.html#a...

Don't set your source! Only set the sourcetype to either cisco:ios or syslog . If you set it to syslog there's a transform called syslog-host which is going to be applied automatically that should take care of the host problem. dvc is just a field aliased to host.

If this doesn't work you need to check your syslog server settings. Some syslog servers append hostnames whenever a message is relayed and we don't want that.

Please accept or upvote helpful answers.

Mikael
Author of the Cisco Networks App

nychawk
Communicator

I changed sourcetype on my UF's inputs.conf from cisco:ios to syslog and now all my devices are showing up with their IP addresses; thank you.

0 Karma

FritzWittwer_ol
Contributor

how look the entries in the ios.log file, do they contain the correct hostname?

0 Karma

nychawk
Communicator

They contain IP address, patterns match those provided in the sample.log.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...