All Apps and Add-ons
Highlighted

Cisco Networks app does not interpret Mnemonic and facility. How to fix

New Member

We installed the Cisco Networks App. However it does not seem to recognize any syslog messages.

It does recognize the unique devices and number of events. At the top mnemonics by time it shows a graph only with mnemonics NULL.
All other graphs on the dashboard are not filled.

Example for the MAC flapping graph:

our syslog message is:
Feb 06 12:22:18 zt5c1-vdc-otv %L2FM-4-L2FMMACMOVE: Mac 0000.0c07.ac66 in vlan 888 has moved from Po305 to Eth3/14
host = zt5c1-vdc-otv source = E:\Syslogd\Logs\zt5c1-vdc-otv sourcetype = cisco:ios

The query on the graph should be:
sourcetype=cisco:ios eventtype="ciscoios-macflapping" | table time, host, facility, mnemonic, srcmac, srcvlan, srcinterface, dest_interface

The event-type ciscoios-macflapping is defined as:
sourcetype=cisco:ios (mnemonic=MACFLAPNOTIF OR mnemonic=HOSTFLAPPING) OR (facility=MACMOVE mnemonic=NOTIF)

In the interesting fields I don't see mnemonic or facility field.

So any help appreciated...

0 Karma
Highlighted

Re: Cisco Networks app does not interpret Mnemonic and facility. How to fix

Motivator

Did you install the Cisco Networks Add-On? https://apps.splunk.com/app/1467

Put that on your search head + indexers.

0 Karma
Highlighted

Re: Cisco Networks app does not interpret Mnemonic and facility. How to fix

New Member

Hello Mikael,

Yes i had installed the add-on and also upgraded the add-on to 2.2.0.

0 Karma
Highlighted

Re: Cisco Networks app does not interpret Mnemonic and facility. How to fix

Motivator

Is this a fresh install? Do you have anything in the local/ dirs in the app? If so delete the contrnts of that dir. Did you restart the search head?

0 Karma
Highlighted

Re: Cisco Networks app does not interpret Mnemonic and facility. How to fix

Motivator

Is the index you placed the logs in searched by default or do you have to specify an index when you seatch?

0 Karma
Highlighted

Re: Cisco Networks app does not interpret Mnemonic and facility. How to fix

New Member

At this moment I'am going to do a fresh install. We use the index called main.

0 Karma
Highlighted

Re: Cisco Networks app does not interpret Mnemonic and facility. How to fix

New Member

I did a fresh install still the same behaviour.

In the app it is seeing the number of events, the unique devices, and a graph with top mnemonics by time where all is NULL.

In the inventory it displays the hosts and events.

All other graphs are empty. I would like the switching part to be working so the spanningtree and mac flaps etc.

any thoughts ??

0 Karma
Highlighted

Re: Cisco Networks app does not interpret Mnemonic and facility. How to fix

Motivator

Hmm - if you click on Search in the app's navigation menu and search for

sourcetype=cisco:ios

Do you see any fields in the field menu to the left? Facility, mnemonic, eventtype, severity_id etc?

Make sure search mode is set to Smart mode (the default)

0 Karma
Highlighted

Re: Cisco Networks app does not interpret Mnemonic and facility. How to fix

New Member

goodmorning..

I do see the eventype field with ciscoios,ciscoconnection, ciscoauthentication.
Also other fields like src
interface, authenticator, date etc

But I don't see the facility, mnemonic or severity id. fields.

0 Karma
Highlighted

Re: Cisco Networks app does not interpret Mnemonic and facility. How to fix

Motivator

Good morning,

What kind of Syslog server do you use? Normally the syslog server appends a timestamp (the time the event was received on the server) which results in two timestamps in the event. This is a requirement for the app to work correctly. You can make it work in other ways, but several dashboards will render useless information, so I suggest you change some settings on your syslog server.

Here's the output from your server:

Feb 06 12:22:18 zt5c1-vdc-otv %L2FM-4-L2FM_MAC_MOVE: Mac 0000.0c07.ac66 in vlan 888 has moved from Po305 to Eth3/14

Here's from another server:

Feb  4 14:29:40 hostname.example.com 22676: Feb  4 14:30:17: %PARSER-5-CFGLOG_LOGGEDCMD: User:olanordmann  logged command:management-interface Tunnel1 allow ssh

Do you see the difference? My example has the following prefixed:

Feb  4 14:29:40 hostname.example.com 22676:

This translates into:

I believe your syslog server removes some of this information. This is likely something you can change in the server settings.

Why do we need these fields?

  • Timestamp of reception: Allows you to check if the device's time is set incorrectly by calculating the reception time against the device time
  • Hostname of sender: Provides the hostname in the event.
  • Event ID: This is an incrementing field/serial allowing us to get the order of events in order to create transactions, i.e. for configuration change management.
  • Device Time: Timestamp of device

View solution in original post

0 Karma