Hi, I've recently installed the add-on and can not get the field extraction working. I have edited the props/transforms to change the sourcetype of the incoming syslog data from my ruckus host to ruckus:log (see below), but beyond that I'm not sure what I have to do.
props.conf:
[host::(xxx.xxx.xxx.xxx)]
TRANSFORMS-set_sourcetype = ruckus_log_sourcetype
transforms.conf
[ruckus_log_sourcetype]
REGEX=(.*)
FORMAT = sourcetype::ruckus:log
DEST_KEY = MetaData:Sourcetype
It is easier to set the sourcetype to ruckus:log during the inputs.conf phase, due to how the sourcetype pipelines work in the TA. I would first try this approach to validate the logs are being transformed into the different sourcetypes that ship with the TA:
-ruckus:core:reconnect, ruckus:core:disconnect, etc.
[monitor:///var/log/syslog-ng/ruckus_log/127.0.0.1/2016-03-16/messages.log]
index = network
sourcetype = ruckus:log
host_segment = 5
alternatively:
[udp://xxx.xxx.xxx.xxx:514]
index = network
sourcetype = ruckus:log
connection_host = ip
Hi
thanks for sharing your experience . I didn't find TA for Ruckus Wireless in splunkbase . did you create custom TA or you download and modify it .
Hi. Where can I downloaded the add-on for Ruckus?
It is easier to set the sourcetype to ruckus:log during the inputs.conf phase, due to how the sourcetype pipelines work in the TA. I would first try this approach to validate the logs are being transformed into the different sourcetypes that ship with the TA:
-ruckus:core:reconnect, ruckus:core:disconnect, etc.
[monitor:///var/log/syslog-ng/ruckus_log/127.0.0.1/2016-03-16/messages.log]
index = network
sourcetype = ruckus:log
host_segment = 5
alternatively:
[udp://xxx.xxx.xxx.xxx:514]
index = network
sourcetype = ruckus:log
connection_host = ip
Thanks for the reply. A have a few questions
1) Which inputs file am I adjusting? C:\Program Files\Splunk\etc\system\local?
2) I have 13 hosts does that mean I have to put in 13 stanzas or can I use a wildcard?
I think I was under the impression that you install the TA and it takes care of the rest.
Im having an issue myself. But i dont know if its different in the new Ruckus controller version or output .
2017-11-02T15:10:17-07:00 SCG01 Core: User[AA:FD:BB:28:91:AA] disconnects from WLAN[wifi] at AP[dW-con-007@AA:BB:C4:29:F1:10] with session data(Client Mac[CC:FD:CC:28:AA:2B],Client IP[],OS Type[],Host Name[],BSSID[1C:B9:C4:CC:F1:FF],User Name[DD:AA:17:FF:91:2B],VLAN[80],Encryption[None],Association Time[11 02 22:09:46 2017],Disconnect Reason[client Disconnect],Session Duration[30s],Bytes to User[0],Bytes from User [374],RSSI[10],SNR[-102],Client Radio[g/n],AP Location[],AP GPS[])
inputs.conf
[monitor:///opt/syslog/ruckus/*.log]
index = ruckus
sourcetype = ruckus:log
host_segment = 4
disabled = false
props.conf
[ruckus:log]
category = Network
description = Output produced by the Ruckus Wireless Controller
pulldown_type = true
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 16
TRANSFORMS-sourcetype = ruckus_core,ruckus_core_disconnect,ruckus_core_reconnect, ruckus_core_join, ruckus_core_authorize, ruckus_sshd, ruckus_kernel
[ruckus_core]
rename = ruckus:core
[ruckus:core]
KV_MODE = None
BREAK_ONLY_BEFORE=\w{3}\s{1,2}\d{1,2}\s
SHOULD_LINEMERGE = false
TIME_PREFIX=^
TIME_FORMAT=%b %d %H:%M:%S
transforms.conf
[ruckus_core]
DEST_KEY = MetaData:Sourcetype
REGEX = ^\w{3}\s{1,2}\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?:[0-9]{1,3}.){3}[0-9]{1,3}\sCore:
FORMAT = sourcetype::ruckus:core
The TA does not monitor the log path or source of where the data is coming from. It only normalizes the data when you set the sourcetype to ruckus:log to those other sourcetypes specified in props.conf based on regex matches. If you use a custom port for syslog, you would not need to create 13 stanzas. You could do something like this in the Ruckus TA's local/ directory:
inputs.conf
[udp://516]
index = network (or whatever index you wish to use)
sourcetype = ruckus:log
connection_host = ip
It is actually better, to set up a syslog server and read the log files from disk using the universal forwarder, this way you don't lose any UDP data during a splunkd restart.
Thanks, I actually ended up going the props/transforms route but definitely going to move to having a syslog server collecting and forwarding to my indexer.