I've just installed the Cisco Networks Add-on and Cisco Networks App in my Splunk environment, and am quite pleased with the dashboards.
I am running into a problem with how my Cisco devices/hostnames are getting reported. My "unique devices", as well as every report that uses this field, is showing my syslog hostname instead of my Cisco devices.
The dashboard is using dvc to render reports, but my actual device IP addresses (I wish I could have them resolve to IP addresses) are getting stuffed into reported_hostname. Incidentally, my syslog server is receiving syslog traffic, and sending all into one folder for all IOS devices.
My UF's inputs.conf:
[monitor:///my-syslog-data/ios.log]
source=syslog
sourcetype=cisco:ios
host =
In addition to the universal forwarder, which is my syslog server, I've installed the add-on on my Indexers and search heads as well, no changes made on them.
I've tried making changes to my indexers' props.conf and transforms.conf, however, I seem to be missing the right changes needed to make my dashboards report each device uniquely versus all of them as my syslog host.
Thanks in advance,
-mi
Have a look at the thread below. The best solution would be to change your syslog server to log each device to its own directory and use host_segment=N in the inputs stanza
Don't set your source! Only set the sourcetype to either cisco:ios or syslog . If you set it to syslog there's a transform called syslog-host which is going to be applied automatically that should take care of the host problem. dvc is just a field aliased to host.
If this doesn't work you need to check your syslog server settings. Some syslog servers append hostnames whenever a message is relayed and we don't want that.
Please accept or upvote helpful answers.
Mikael
Author of the Cisco Networks App
props.conf
[your_sourcetype]
TRANSFORMS-hosts = real_host
transforms.conf
[real_host]
DEST_KEY = MetaData:Host
REGEX =
FORMAT = host::$1
fill the regex with the expression needed to retrieve the host from your logs. should be the same used to retrieve reported_hostname.
More info from docs:
http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Overridedefaulthostassignments
As your forwarder is running on the syslog server, you could use the forwarder as your syslog server by defining an udp input as
[udp://514]
source=syslog
sourcetype=cisco:ios
connection_host = dns
Saves you some iops on the server and gives you the host in the event. In this case you have to logs of course only in splunk, and I can not say if the app will be able to deal with the events.
My syslog server parses logs for other than Cisco devices, which is feeding various sourcetypes.
I like this idea though, thank you.
Have a look at the thread below. The best solution would be to change your syslog server to log each device to its own directory and use host_segment=N in the inputs stanza
Don't set your source! Only set the sourcetype to either cisco:ios or syslog . If you set it to syslog there's a transform called syslog-host which is going to be applied automatically that should take care of the host problem. dvc is just a field aliased to host.
If this doesn't work you need to check your syslog server settings. Some syslog servers append hostnames whenever a message is relayed and we don't want that.
Please accept or upvote helpful answers.
Mikael
Author of the Cisco Networks App
I changed sourcetype on my UF's inputs.conf from cisco:ios to syslog and now all my devices are showing up with their IP addresses; thank you.
how look the entries in the ios.log file, do they contain the correct hostname?
They contain IP address, patterns match those provided in the sample.log.