- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Cisco Networks app does not interpret Mnemonic...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We installed the Cisco Networks App. However it does not seem to recognize any syslog messages.
It does recognize the unique devices and number of events. At the top mnemonics by time it shows a graph only with mnemonics NULL.
All other graphs on the dashboard are not filled.
Example for the MAC flapping graph:
our syslog message is:
Feb 06 12:22:18 zt5c1-vdc-otv %L2FM-4-L2FM_MAC_MOVE: Mac 0000.0c07.ac66 in vlan 888 has moved from Po305 to Eth3/14
host = zt5c1-vdc-otv source = E:\Syslogd\Logs\zt5c1-vdc-otv sourcetype = cisco:ios
The query on the graph should be:
sourcetype=cisco:ios eventtype="cisco_ios-mac_flapping" | table _time, host, facility, mnemonic, src_mac, src_vlan, src_interface, dest_interface
The event-type cisco_ios-mac_flapping is defined as:
sourcetype=cisco:ios (mnemonic=MACFLAP_NOTIF OR mnemonic=HOSTFLAPPING) OR (facility=MAC_MOVE mnemonic=NOTIF)
In the interesting fields I don't see mnemonic or facility field.
So any help appreciated...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good morning,
What kind of Syslog server do you use? Normally the syslog server appends a timestamp (the time the event was received on the server) which results in two timestamps in the event. This is a requirement for the app to work correctly. You can make it work in other ways, but several dashboards will render useless information, so I suggest you change some settings on your syslog server.
Here's the output from your server:
Feb 06 12:22:18 zt5c1-vdc-otv %L2FM-4-L2FM_MAC_MOVE: Mac 0000.0c07.ac66 in vlan 888 has moved from Po305 to Eth3/14
Here's from another server:
Feb 4 14:29:40 hostname.example.com 22676: Feb 4 14:30:17: %PARSER-5-CFGLOG_LOGGEDCMD: User:olanordmann logged command:management-interface Tunnel1 allow ssh
Do you see the difference? My example has the following prefixed:
Feb 4 14:29:40 hostname.example.com 22676:
This translates into:
I believe your syslog server removes some of this information. This is likely something you can change in the server settings.
Why do we need these fields?
- Timestamp of reception: Allows you to check if the device's time is set incorrectly by calculating the reception time against the device time
- Hostname of sender: Provides the hostname in the event.
- Event ID: This is an incrementing field/serial allowing us to get the order of events in order to create transactions, i.e. for configuration change management.
- Device Time: Timestamp of device
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good morning,
What kind of Syslog server do you use? Normally the syslog server appends a timestamp (the time the event was received on the server) which results in two timestamps in the event. This is a requirement for the app to work correctly. You can make it work in other ways, but several dashboards will render useless information, so I suggest you change some settings on your syslog server.
Here's the output from your server:
Feb 06 12:22:18 zt5c1-vdc-otv %L2FM-4-L2FM_MAC_MOVE: Mac 0000.0c07.ac66 in vlan 888 has moved from Po305 to Eth3/14
Here's from another server:
Feb 4 14:29:40 hostname.example.com 22676: Feb 4 14:30:17: %PARSER-5-CFGLOG_LOGGEDCMD: User:olanordmann logged command:management-interface Tunnel1 allow ssh
Do you see the difference? My example has the following prefixed:
Feb 4 14:29:40 hostname.example.com 22676:
This translates into:
I believe your syslog server removes some of this information. This is likely something you can change in the server settings.
Why do we need these fields?
- Timestamp of reception: Allows you to check if the device's time is set incorrectly by calculating the reception time against the device time
- Hostname of sender: Provides the hostname in the event.
- Event ID: This is an incrementing field/serial allowing us to get the order of events in order to create transactions, i.e. for configuration change management.
- Device Time: Timestamp of device
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, we are using kiwi syslog servers at this moment.
I will look into that if we can add the timestamp fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
THX...
That did the job, in KIWI there is an option to remove cisco timestamps in the log entry. So i disabled that entry and the Facility en mnemonic and severity fields are displayed and are now filling the graphs..
thx for your support on this..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're welcome. A great way to thank me is clicking accept answer or voting the answer 🙂
I hope the app is of use to you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
goodmorning..
I do see the eventype field with cisco_ios,cisco_connection, cisco_authentication.
Also other fields like src_interface, authenticator, date etc
But I don't see the facility, mnemonic or severity id. fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you install the Cisco Networks Add-On? https://apps.splunk.com/app/1467
Put that on your search head + indexers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Mikael,
Yes i had installed the add-on and also upgraded the add-on to 2.2.0.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this a fresh install? Do you have anything in the local/ dirs in the app? If so delete the contrnts of that dir. Did you restart the search head?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At this moment I'am going to do a fresh install. We use the index called main.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did a fresh install still the same behaviour.
In the app it is seeing the number of events, the unique devices, and a graph with top mnemonics by time where all is NULL.
In the inventory it displays the hosts and events.
All other graphs are empty. I would like the switching part to be working so the spanningtree and mac flaps etc.
any thoughts ??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm - if you click on Search in the app's navigation menu and search for
sourcetype=cisco:ios
Do you see any fields in the field menu to the left? Facility, mnemonic, eventtype, severity_id etc?
Make sure search mode is set to Smart mode (the default)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the index you placed the logs in searched by default or do you have to specify an index when you seatch?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
