All Apps and Add-ons

TA-cisco_ios picking up events from Juniper switches

bochmann
Path Finder

I have noticed that the eventtype cisco_ios-diag in TA-cisco_ios matches on some of the log file entries generated by our Juniper switches (primarily log lines matching facility=KERN).

As far as I have traced this through TA-cisco_ios, force_sourcetype_for_cisco_ios in the TA's transforms.conf matches on some JunOS log entries (and overwrites our custom source type). I don't have a good idea on how to exclude these log lines yet, though - especially in a way that could be included into the TA so we don't have to apply a local fix after every update...

Did anyone run into this yet and has adapted the TA-cisco_ios ruleset?

Example Juniper log entry:

Nov 26 14:09:48 jp45-xxx /kernel: %KERN-5-KERN_LACP_INTF_STATE_CHANGE: lacp_update_state_userspace: cifd xe-0/0/33 - CD state - ready to carry traffic

0 Karma
1 Solution

mikaelbje
Motivator

I'm the app developer and have to say that this certainly interesting. I don't have any experience with JunOS at all and didn't know that its log format looks this much like the IOS format.

I've had a look at the transform for the syslog sourcetype in the TA and can't really find a way to be any less particular in the regex than I already am in order to match Cisco IOS events .

What I'd suggest since your environment contains both JunOS and IOS is to enable two separate UDP inputs on different ports on your splunk server/syslog server, one for sourcetype cisco:ios and the other for junos and then setting your devices to log to these ports. That way you have the events separated already and not coming in as the syslog sourcetype.

What you could then do is disable the transform that changes the sourcetype from syslog to cisco:ios to the following in TA-cisco_ios/local/transforms.conf:


[force_sourcetype_for_cisco_ios]
REGEX = ((?!))

[force_sourcetype_for_cisco_ios-xr]
REGEX = ((?!))

[force_sourcetype_for_cisco_ios-xe]
REGEX = ((?!))

It's totally untested though. Not sure if there's a better way to solve this. Let me know if you succeed.

View solution in original post

mikaelbje
Motivator

I'm the app developer and have to say that this certainly interesting. I don't have any experience with JunOS at all and didn't know that its log format looks this much like the IOS format.

I've had a look at the transform for the syslog sourcetype in the TA and can't really find a way to be any less particular in the regex than I already am in order to match Cisco IOS events .

What I'd suggest since your environment contains both JunOS and IOS is to enable two separate UDP inputs on different ports on your splunk server/syslog server, one for sourcetype cisco:ios and the other for junos and then setting your devices to log to these ports. That way you have the events separated already and not coming in as the syslog sourcetype.

What you could then do is disable the transform that changes the sourcetype from syslog to cisco:ios to the following in TA-cisco_ios/local/transforms.conf:


[force_sourcetype_for_cisco_ios]
REGEX = ((?!))

[force_sourcetype_for_cisco_ios-xr]
REGEX = ((?!))

[force_sourcetype_for_cisco_ios-xe]
REGEX = ((?!))

It's totally untested though. Not sure if there's a better way to solve this. Let me know if you succeed.

mikaelbje
Motivator

You could probably also achieve the same doing it in TA-cisco_ios/local/props.conf

[syslog]
TRANSFORMS-force_sourcetype_for_cisco_ios = REFERENCING_AN_UNEXISTING_TRANSFORM

Maybe this also works (which is even better):

TRANSFORMS-force_sourcetype_for_cisco_ios =
0 Karma

bochmann
Path Finder

Thanks - I think I'll try that - we set a sourcetype directly on our inputs, so I don't usually need to force a different sourcetype based on a regex.
The other possibility would be to exclude data that already has certain sourcetypes set.

Also a general thank you for publishing this app - it has already been useful to us 🙂

mikaelbje
Motivator

I hope you find a feasible solution. The best way to thank me is accepting the answer/and or rating the apps 🙂

0 Karma
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...