I have noticed that the eventtype cisco_ios-diag in TA-cisco_ios matches on some of the log file entries generated by our Juniper switches (primarily log lines matching facility=KERN).
As far as I have traced this through TA-cisco_ios, force_sourcetype_for_cisco_ios in the TA's transforms.conf matches on some JunOS log entries (and overwrites our custom source type). I don't have a good idea on how to exclude these log lines yet, though - especially in a way that could be included into the TA so we don't have to apply a local fix after every update...
Did anyone run into this yet and has adapted the TA-cisco_ios ruleset?
Example Juniper log entry:
Nov 26 14:09:48 jp45-xxx /kernel: %KERN-5-KERN_LACP_INTF_STATE_CHANGE: lacp_update_state_userspace: cifd xe-0/0/33 - CD state - ready to carry traffic
I'm the app developer and have to say that this certainly interesting. I don't have any experience with JunOS at all and didn't know that its log format looks this much like the IOS format.
I've had a look at the transform for the syslog sourcetype in the TA and can't really find a way to be any less particular in the regex than I already am in order to match Cisco IOS events .
What I'd suggest since your environment contains both JunOS and IOS is to enable two separate UDP inputs on different ports on your splunk server/syslog server, one for sourcetype cisco:ios and the other for junos and then setting your devices to log to these ports. That way you have the events separated already and not coming in as the syslog sourcetype.
What you could then do is disable the transform that changes the sourcetype from syslog to cisco:ios to the following in TA-cisco_ios/local/transforms.conf:
[force_sourcetype_for_cisco_ios] REGEX = ((?!)) [force_sourcetype_for_cisco_ios-xr] REGEX = ((?!)) [force_sourcetype_for_cisco_ios-xe] REGEX = ((?!))
It's totally untested though. Not sure if there's a better way to solve this. Let me know if you succeed.
I'm the app developer and have to say that this certainly interesting. I don't have any experience with JunOS at all and didn't know that its log format looks this much like the IOS format.
I've had a look at the transform for the syslog sourcetype in the TA and can't really find a way to be any less particular in the regex than I already am in order to match Cisco IOS events .
What I'd suggest since your environment contains both JunOS and IOS is to enable two separate UDP inputs on different ports on your splunk server/syslog server, one for sourcetype cisco:ios and the other for junos and then setting your devices to log to these ports. That way you have the events separated already and not coming in as the syslog sourcetype.
What you could then do is disable the transform that changes the sourcetype from syslog to cisco:ios to the following in TA-cisco_ios/local/transforms.conf:
[force_sourcetype_for_cisco_ios] REGEX = ((?!)) [force_sourcetype_for_cisco_ios-xr] REGEX = ((?!)) [force_sourcetype_for_cisco_ios-xe] REGEX = ((?!))
It's totally untested though. Not sure if there's a better way to solve this. Let me know if you succeed.
You could probably also achieve the same doing it in TA-cisco_ios/local/props.conf
[syslog] TRANSFORMS-force_sourcetype_for_cisco_ios = REFERENCING_AN_UNEXISTING_TRANSFORM
Maybe this also works (which is even better):
TRANSFORMS-force_sourcetype_for_cisco_ios =
Thanks - I think I'll try that - we set a sourcetype directly on our inputs, so I don't usually need to force a different sourcetype based on a regex.
The other possibility would be to exclude data that already has certain sourcetypes set.
Also a general thank you for publishing this app - it has already been useful to us 🙂
I hope you find a feasible solution. The best way to thank me is accepting the answer/and or rating the apps 🙂