All Apps and Add-ons

How do I change the source host IP address shown in Cisco IOS as it uses the SYSLOG relays address?

cinc101
Explorer

The Cisco IOS app displays all entries as originating with the "Host" IP Address using Syslog Relay Address instead of Actual IP Address of the devices. The original IP address of the source is maintained in the SYSLOG message with the format Original Address=xxx.xxx.yyy.yyy

I have modified splunk using the advice shown here which did correctly change the source IP addresses in the main index for the splunk search application. The Cisco IOS App, however continues to parse the SYSLOG relay IP in the host field of the app.

I modified the props.conf and transforms.conf in the Cisco IOS TA folder, however it did not change the behaviour.

Does anyone know how I can change the App so that the host ip address shown and used is the actual (original) IP address vice the address of our relay?

0 Karma

cinc101
Explorer

Hello, we were able to modify the data by modifying the props.conf and transforms.conf
I've posted our changes below in case anyone else has similar issues.

props.conf

[host::IP Address here]
TRANSFORMS-t1=rename_host

transforms.conf

[rename_host]
REGEX=Original Address=(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})
DEST_KEY=MetaData:Host
FORMAT=host::$1

The files need to added (if missing) or modified in the following directories
opt/splunk/etc/apps/cisco-ios
and
/opt/splunk/etc/apps/TA-cisco-ios

mikaelbje
Motivator

Hi,

First, this does not seem like normal syslog behaviour. I've seen numerous syslog implementations and they normally chain hostnames/IP addresses, i.e. 192.168.1.1 192.168.1.6 where one of the values is the proxy/relay and the other is the original sender. The Cisco logging format is described here:
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_resource_manager_essentials/4.0/user/guide/appb....

<187> [timestamp in RFC prescribed format] [device dns name | ip 
address] [Dummy Value/Counter : ] [ {:|*} mmm dd hh:mm:ss TimeZone ] 
%FACILITY-[SUBFACILITY-]SEVERITY-MNEMONIC: description

Some syslog implementations will add a timestamp before the example I provided, which makes it trivial to see the actual time the event was received on the syslog server, and the timestamp and hostname included in the original event is the one reported by the Cisco device. I suggest you try to capture your logs in a syslog server such as syslog-NG or rsyslog.

An example event from one of my customer installs with DNS lookups enabled on syslog-NG:

Jul 16 09:22:50 host-c6509-91.siteA.example.com 234067: Jul 16 09:22:48.200 CEST: %EARL-SP-4-NF_USAGE: Current Netflow Table Utilization is 62%

The original event was:

192.168.1.6 234067: Jul 16 09:22:48.200 CEST: %EARL-SP-4-NF_USAGE: Current Netflow Table Utilization is 62%

I suggest you try to do some filtering and transformations to make sure your Original Address= value ends up inside the Cisco format I showed you above. You may try to use the advice you got earlier possibly on a Splunk Forwarder, or try using the guide below to modify the actual raw event data before it gets indexed: http://docs.splunk.com/Documentation/Splunk/5.0.3/Data/Anonymizedatausingconfigurationfiles

0 Karma

mikaelbje
Motivator

The app doesn't extract the host in any custom way. It's done automatically by Splunk based on the IP in the message. Since my regex only matches from the event_id (i.e. 234067) and onwards, you could transform the event so that you put a list of the relays in the beginning of the message (think inside brackets i.e. [relay_hosts=relay1,relay2] and you put the Original Address= value where it belongs in the Cisco syslog format. That way you can create your own extraction to pull out the values for relay_hosts. Splunk might even do that part automatically for you since it's in a key-value pair

0 Karma

cinc101
Explorer

Thanks, I figured I would need to build a transform to do this. I was just hoping to understand how your app determines what IP is shown in the host field. I was hoping to avoid having to strip the relay IP out of the message as we have multiple relay hosts and it is useful for us to search what relay has forwarded the message.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...