All Apps and Add-ons
Highlighted

Splunk Add-on for Ruckus Wireless - Fields not Extracted

Path Finder

Hi, I've recently installed the add-on and can not get the field extraction working. I have edited the props/transforms to change the sourcetype of the incoming syslog data from my ruckus host to ruckus:log (see below), but beyond that I'm not sure what I have to do.

props.conf:
[host::(xxx.xxx.xxx.xxx)]
TRANSFORMS-setsourcetype = ruckuslog_sourcetype

transforms.conf
[ruckuslogsourcetype]
REGEX=(.*)
FORMAT = sourcetype::ruckus:log
DEST_KEY = MetaData:Sourcetype

Highlighted

Re: Splunk Add-on for Ruckus Wireless - Fields not Extracted

Splunk Employee
Splunk Employee

It is easier to set the sourcetype to ruckus:log during the inputs.conf phase, due to how the sourcetype pipelines work in the TA. I would first try this approach to validate the logs are being transformed into the different sourcetypes that ship with the TA:
-ruckus:core:reconnect, ruckus:core:disconnect, etc.

[monitor:///var/log/syslog-ng/ruckus_log/127.0.0.1/2016-03-16/messages.log]
index = network
sourcetype = ruckus:log
host_segment = 5

alternatively:

[udp://xxx.xxx.xxx.xxx:514]
index = network
sourcetype = ruckus:log
connection_host = ip

View solution in original post

0 Karma
Highlighted

Re: Splunk Add-on for Ruckus Wireless - Fields not Extracted

Path Finder

Thanks for the reply. A have a few questions

1) Which inputs file am I adjusting? C:\Program Files\Splunk\etc\system\local?
2) I have 13 hosts does that mean I have to put in 13 stanzas or can I use a wildcard?

I think I was under the impression that you install the TA and it takes care of the rest.

0 Karma
Highlighted

Re: Splunk Add-on for Ruckus Wireless - Fields not Extracted

Splunk Employee
Splunk Employee

The TA does not monitor the log path or source of where the data is coming from. It only normalizes the data when you set the sourcetype to ruckus:log to those other sourcetypes specified in props.conf based on regex matches. If you use a custom port for syslog, you would not need to create 13 stanzas. You could do something like this in the Ruckus TA's local/ directory:

inputs.conf
[udp://516]
index = network (or whatever index you wish to use)
sourcetype = ruckus:log
connection_host = ip

It is actually better, to set up a syslog server and read the log files from disk using the universal forwarder, this way you don't lose any UDP data during a splunkd restart.

0 Karma
Highlighted

Re: Splunk Add-on for Ruckus Wireless - Fields not Extracted

Path Finder

Thanks, I actually ended up going the props/transforms route but definitely going to move to having a syslog server collecting and forwarding to my indexer.

0 Karma
Highlighted

Re: Splunk Add-on for Ruckus Wireless - Fields not Extracted

Explorer

Im having an issue myself. But i dont know if its different in the new Ruckus controller version or output .

2017-11-02T15:10:17-07:00 SCG01 Core: User[AA:FD:BB:28:91:AA] disconnects from WLAN[wifi] at AP[dW-con-007@AA:BB:C4:29:F1:10] with session data(Client Mac[CC:FD:CC:28:AA:2B],Client IP[],OS Type[],Host Name[],BSSID[1C:B9:C4:CC:F1:FF],User Name[DD:AA:17:FF:91:2B],VLAN[80],Encryption[None],Association Time[11 02 22:09:46 2017],Disconnect Reason[client Disconnect],Session Duration[30s],Bytes to User[0],Bytes from User [374],RSSI[10],SNR[-102],Client Radio[g/n],AP Location[],AP GPS[])

inputs.conf
[monitor:///opt/syslog/ruckus/*.log]
index = ruckus
sourcetype = ruckus:log
host_segment = 4
disabled = false

props.conf
[ruckus:log]
category = Network
description = Output produced by the Ruckus Wireless Controller
pulldowntype = true
SHOULD
LINEMERGE = false
MAXTIMESTAMPLOOKAHEAD = 16
TRANSFORMS-sourcetype = ruckuscore,ruckuscoredisconnect,ruckuscorereconnect, ruckuscorejoin, ruckuscoreauthorize, ruckussshd, ruckus_kernel

[ruckus_core]
rename = ruckus:core

[ruckus:core]
KVMODE = None
BREAK
ONLYBEFORE=\w{3}\s{1,2}\d{1,2}\s
SHOULD
LINEMERGE = false
TIMEPREFIX=^
TIME
FORMAT=%b %d %H:%M:%S

transforms.conf
[ruckuscore]
DEST
KEY = MetaData:Sourcetype
REGEX = ^\w{3}\s{1,2}\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?:[0-9]{1,3}.){3}[0-9]{1,3}\sCore:
FORMAT = sourcetype::ruckus:core

0 Karma