All Apps and Add-ons

Events not breaking at timestamp - Cisco Networks App

josefa
Path Finder

Hello,

Have a question. I had my cisco logs indexed as sourcetype=syslog, coming from a syslog and sent to Splunk with a forwarder. I then installed the Cisco Networks App and change the sourcetype of this logs to cisco:ios but I've noticed there are some events which are mixed in one same event (no event-breaking at timestamp as usual)

Are there some considerations I should take in regards of props.conf in the App, as I'm receiving logs from a forwarder and not the devices themselves?

Attached some images of what I'm seeing in Splunk. first image how the event looks like (9 cisco events in 1 splunk event) and the second image, where, after the first device hostname it tooks everything as the device_time
Event

Logs being taken as device_time

Any help is much appreciated.

0 Karma

mikaelbje
Motivator

Haven't seen this before and I have a lot of installations using either direct UDP syslog to Splunk or logging to a syslog daemon with a Universal Forwarder shipping the logs to indexers.

You may need to set up a LINE_BREAKER rule along with SHOULD_LINEMERGE=false in props.conf on your indexers/Heavy Forwarders.

0 Karma

josefa
Path Finder

Thanks for your answer, could you tell me how would be the configs in props.conf for the Universal forwarder case? That is how I'm sending the logs to the indexer

0 Karma

somesoni2
Revered Legend

Are you using the heavy forwarder to get data from syslog?

0 Karma

josefa
Path Finder

Universal forwarding.

I send the device's logs to a file in a syslog /var/log/ciscologs.log and monitor that file with the Universal forwarder, in inputs.conf

[monitor:///var/log/ciscologs.logs]
index=index

0 Karma

mikaelbje
Motivator

Try setting

sourcetype = syslog

In your monitor stanza

0 Karma

lqiao2
Path Finder

I think also that setting sourcetype = syslog is the right solution and make sure that the Cisco Network Add-on is installed on the indexers/search-heads.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...