All Apps and Add-ons

Splunk Add-on for Ruckus Wireless - Fields not Extracted

asofo
Path Finder

Hi, I've recently installed the add-on and can not get the field extraction working. I have edited the props/transforms to change the sourcetype of the incoming syslog data from my ruckus host to ruckus:log (see below), but beyond that I'm not sure what I have to do.

props.conf:
[host::(xxx.xxx.xxx.xxx)]
TRANSFORMS-set_sourcetype = ruckus_log_sourcetype

transforms.conf
[ruckus_log_sourcetype]
REGEX=(.*)
FORMAT = sourcetype::ruckus:log
DEST_KEY = MetaData:Sourcetype

1 Solution

atellez_splunk
Splunk Employee
Splunk Employee

It is easier to set the sourcetype to ruckus:log during the inputs.conf phase, due to how the sourcetype pipelines work in the TA. I would first try this approach to validate the logs are being transformed into the different sourcetypes that ship with the TA:
-ruckus:core:reconnect, ruckus:core:disconnect, etc.

[monitor:///var/log/syslog-ng/ruckus_log/127.0.0.1/2016-03-16/messages.log]
index = network
sourcetype = ruckus:log
host_segment = 5

alternatively:

[udp://xxx.xxx.xxx.xxx:514]
index = network
sourcetype = ruckus:log
connection_host = ip

View solution in original post

0 Karma

khalidewaidah
Explorer

Hi 

thanks for sharing your experience . I didn't find TA for Ruckus Wireless in splunkbase . did you create custom TA or you download and modify it . 

0 Karma

neoslaughter
Loves-to-Learn

Hi. Where can I downloaded the add-on for Ruckus?

0 Karma

atellez_splunk
Splunk Employee
Splunk Employee

It is easier to set the sourcetype to ruckus:log during the inputs.conf phase, due to how the sourcetype pipelines work in the TA. I would first try this approach to validate the logs are being transformed into the different sourcetypes that ship with the TA:
-ruckus:core:reconnect, ruckus:core:disconnect, etc.

[monitor:///var/log/syslog-ng/ruckus_log/127.0.0.1/2016-03-16/messages.log]
index = network
sourcetype = ruckus:log
host_segment = 5

alternatively:

[udp://xxx.xxx.xxx.xxx:514]
index = network
sourcetype = ruckus:log
connection_host = ip
0 Karma

asofo
Path Finder

Thanks for the reply. A have a few questions

1) Which inputs file am I adjusting? C:\Program Files\Splunk\etc\system\local?
2) I have 13 hosts does that mean I have to put in 13 stanzas or can I use a wildcard?

I think I was under the impression that you install the TA and it takes care of the rest.

0 Karma

sudoritz
Explorer

Im having an issue myself. But i dont know if its different in the new Ruckus controller version or output .

2017-11-02T15:10:17-07:00 SCG01 Core: User[AA:FD:BB:28:91:AA] disconnects from WLAN[wifi] at AP[dW-con-007@AA:BB:C4:29:F1:10] with session data(Client Mac[CC:FD:CC:28:AA:2B],Client IP[],OS Type[],Host Name[],BSSID[1C:B9:C4:CC:F1:FF],User Name[DD:AA:17:FF:91:2B],VLAN[80],Encryption[None],Association Time[11 02 22:09:46 2017],Disconnect Reason[client Disconnect],Session Duration[30s],Bytes to User[0],Bytes from User [374],RSSI[10],SNR[-102],Client Radio[g/n],AP Location[],AP GPS[])

inputs.conf
[monitor:///opt/syslog/ruckus/*.log]
index = ruckus
sourcetype = ruckus:log
host_segment = 4
disabled = false

props.conf
[ruckus:log]
category = Network
description = Output produced by the Ruckus Wireless Controller
pulldown_type = true
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 16
TRANSFORMS-sourcetype = ruckus_core,ruckus_core_disconnect,ruckus_core_reconnect, ruckus_core_join, ruckus_core_authorize, ruckus_sshd, ruckus_kernel

[ruckus_core]
rename = ruckus:core

[ruckus:core]
KV_MODE = None
BREAK_ONLY_BEFORE=\w{3}\s{1,2}\d{1,2}\s
SHOULD_LINEMERGE = false
TIME_PREFIX=^
TIME_FORMAT=%b %d %H:%M:%S

transforms.conf
[ruckus_core]
DEST_KEY = MetaData:Sourcetype
REGEX = ^\w{3}\s{1,2}\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?:[0-9]{1,3}.){3}[0-9]{1,3}\sCore:
FORMAT = sourcetype::ruckus:core

0 Karma

atellez_splunk
Splunk Employee
Splunk Employee

The TA does not monitor the log path or source of where the data is coming from. It only normalizes the data when you set the sourcetype to ruckus:log to those other sourcetypes specified in props.conf based on regex matches. If you use a custom port for syslog, you would not need to create 13 stanzas. You could do something like this in the Ruckus TA's local/ directory:

inputs.conf
[udp://516]
index = network (or whatever index you wish to use)
sourcetype = ruckus:log
connection_host = ip

It is actually better, to set up a syslog server and read the log files from disk using the universal forwarder, this way you don't lose any UDP data during a splunkd restart.

0 Karma

asofo
Path Finder

Thanks, I actually ended up going the props/transforms route but definitely going to move to having a syslog server collecting and forwarding to my indexer.

0 Karma
Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...