We installed the Cisco Networks App. However it does not seem to recognize any syslog messages.
It does recognize the unique devices and number of events. At the top mnemonics by time it shows a graph only with mnemonics NULL.
All other graphs on the dashboard are not filled.
Example for the MAC flapping graph:
our syslog message is:
Feb 06 12:22:18 zt5c1-vdc-otv %L2FM-4-L2FMMACMOVE: Mac 0000.0c07.ac66 in vlan 888 has moved from Po305 to Eth3/14
host = zt5c1-vdc-otv source = E:\Syslogd\Logs\zt5c1-vdc-otv sourcetype = cisco:ios
The query on the graph should be:
sourcetype=cisco:ios eventtype="ciscoios-macflapping" | table time, host, facility, mnemonic, srcmac, srcvlan, srcinterface, dest_interface
The event-type ciscoios-macflapping is defined as:
sourcetype=cisco:ios (mnemonic=MACFLAPNOTIF OR mnemonic=HOSTFLAPPING) OR (facility=MACMOVE mnemonic=NOTIF)
In the interesting fields I don't see mnemonic or facility field.
So any help appreciated...
Is this a fresh install? Do you have anything in the local/ dirs in the app? If so delete the contrnts of that dir. Did you restart the search head?
Is the index you placed the logs in searched by default or do you have to specify an index when you seatch?
I did a fresh install still the same behaviour.
In the app it is seeing the number of events, the unique devices, and a graph with top mnemonics by time where all is NULL.
In the inventory it displays the hosts and events.
All other graphs are empty. I would like the switching part to be working so the spanningtree and mac flaps etc.
any thoughts ??
Hmm - if you click on Search in the app's navigation menu and search for
Do you see any fields in the field menu to the left? Facility, mnemonic, eventtype, severity_id etc?
Make sure search mode is set to Smart mode (the default)
I do see the eventype field with ciscoios,ciscoconnection, ciscoauthentication.
Also other fields like srcinterface, authenticator, date etc
But I don't see the facility, mnemonic or severity id. fields.
What kind of Syslog server do you use? Normally the syslog server appends a timestamp (the time the event was received on the server) which results in two timestamps in the event. This is a requirement for the app to work correctly. You can make it work in other ways, but several dashboards will render useless information, so I suggest you change some settings on your syslog server.
Here's the output from your server:
Feb 06 12:22:18 zt5c1-vdc-otv %L2FM-4-L2FM_MAC_MOVE: Mac 0000.0c07.ac66 in vlan 888 has moved from Po305 to Eth3/14
Here's from another server:
Feb 4 14:29:40 hostname.example.com 22676: Feb 4 14:30:17: %PARSER-5-CFGLOG_LOGGEDCMD: User:olanordmann logged command:management-interface Tunnel1 allow ssh
Do you see the difference? My example has the following prefixed:
Feb 4 14:29:40 hostname.example.com 22676:
This translates into:
I believe your syslog server removes some of this information. This is likely something you can change in the server settings.
Why do we need these fields?