All Apps and Add-ons

Syslog server to Cisco IOS app?

watsontony80
New Member

I've inherited an old syslog-ng server that has about 10 years worth of Cisco reporting on text files sent via syslog. I'm new to the Splunk world and configured a Universal Forwarder on the syslog machine and pointed at my Enterprise Indexer with the Cisco IOS app installed. I can get the logs to the server, but they don't enter the Cisco IOS app as expected. They're showing up in my Index as hostname = syslogservername and sourcetype as unknown. I edited the inputs on the forwarder to have a monitor stanza with a sourcetype of cisco_ios, but it then doesn't send anything at all to the indexer that I can find. I just want to have the logs parsed by the hostname (ciscoswitcha, etc.) of the device and the details that its gathered. Help? Here's how the lines in the syslog text files look:

Jan 9 00:00:51 HOSTNAME 1838: Dec 9 00:00:50.511 est: %RADIUS-3-NOACCOUNTINGRESPONSE: Accounting message Start for session 00000836 failed to receive Accounting Response.

How can I parse for the name of the device and its message into the IOS app?

0 Karma

mikaelbje
Motivator

Hi,

Hostname transform:
1. If you have one log file/folder per host you can use host_segment=N. Examples: http://docs.splunk.com/Documentation/Splunk/6.2.0/admin/inputsconf
2. If you have all your hosts in one file you could install a Splunk Heavy Forwarder and use a host transform to pull the hostname out of the log. You could also do this on the indexer if you don't want a Heavy Forwarder on your syslog server. Examples: http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/overridedefaulthostassignments

Regarding hosts not showing up in the app:
The sourcetype needs to be set to cisco:ios or syslog. NOT cisco_ios

Please rate or accept the answer if you find it helpful 🙂

Regards,
Mikael

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...