We have new Cisco UCS kit and would like to process its syslogs in Splunk. Has anyone already established a set of field extractions or dashboards that they would like to share? Are there any plans for Splunk to provide any within the product? I think this is likely to be a hardware options that will grow significantly in popularity over time.
Example (scrubbed) logs:
Oct 26 16:33:02 pgce0-su-0j-b.tia.sn.local : 1001 Oct 26 16:33:02 LON: %OTIS-6-EVENT: [G2140204][054002][transition][internal][] [REX:STAGE:STALE-SUCCESS]: MARY profile configuration on peer fabric(REX-STAGE:rea:bev:OrrgYfpxhgnFowZerley:Peer)
Oct 26 16:32:52 pgce0-su-1w-a.tia.sn.local : 1001 Oct 26 15:32:52 VAN: %OTIS-3-PORT_FAILED: [D0047][cleared][port-failed][sys/switch-B/slot-1/switch-ether/port-3] ether port 3 on fabric interconnect B gwyn state: link-up, reason: Link failure or not-connected
Oct 26 16:32:52 pgce0-su-1w-a.tia.sn.local : 1001 Oct 26 15:32:52 VAN: %OTIS-3-PORT_FAILED: [D0047][cleared][port-failed][sys/switch-B/slot-1/switch-ether/port-1] ether port 1 on fabric interconnect B gwyn state: link-up, reason: Link failure or not-connected
Oct 26 16:32:51 tpr0-su-0j-b.tia.sn.local : 1001 Oct 26 16:32:51 LON: %USER-6-SYSTEM_EVE: checking user:svc_rhonda,!!!!!!!!!!!,03030.000000,01263.000000 - jefferson
Oct 26 16:32:51 tpr0-su-0j-b.tia.sn.local : 1001 Oct 26 16:32:51 LON: %USER-6-SYSTEM_EVE: checking user:max-dorinda,$1$K1jNUXPu$1bpsCt0/xDbsWSwrfHXi//,-1.000000,01263.000000 - jefferson
Oct 26 16:32:51 tpr0-su-0j-b.tia.sn.local : 1001 Oct 26 16:32:51 LON: %USER-6-SYSTEM_EVE: checking user:admin,$1$lnRiXnQe$VQ0qXvmM0CfaJBU36ZLMk/,-1.000000,01263.000000 - jefferson
Oct 26 16:32:51 tpr0-su-0j-b.tia.sn.local : 1001 Oct 26 16:32:51 LON: %USER-6-SYSTEM_EVE: checking user:ronnie,!,-1.000000,01263.000000 - jefferson
Oct 26 16:32:51 pgce0-su-0j-b.tia.sn.local : 1001 Oct 26 16:32:51 LON: %OTIS-3-OPERATIONAL_STATE_DOWN: [Y0231][major][operational-state-down][fabric/hal/A/tp-100] hal port-channel 100 on fabric interconnect A gwyn state: failed, reason: No operational members
Oct 26 16:32:46 pgce0-su-1w-a.tia.sn.local : 1001 Oct 26 15:32:46 VAN: %OTIS-3-MEMBERSHIP_DOWN: [T0025][cleared][membership-down][fabric/hal/A/tp-101/ai-slot-1-port-3] hal Member 1/3 of Port-Channel 101 on fabric interconnect A is down, membership: down
Oct 26 16:32:46 pgce0-su-1w-a.tia.sn.local : 1001 Oct 26 15:32:46 VAN: %OTIS-3-MEMBERSHIP_DOWN: [T0025][cleared][membership-down][fabric/hal/A/tp-101/ai-slot-1-port-1] hal Member 1/1 of Port-Channel 101 on fabric interconnect A is down, membership: down
Oct 26 16:32:30 pgce0-su-1w-a.tia.sn.local : 1001 Oct 26 15:32:30 VAN: %OTIS-3-LINK_DOWN: [Y0035][major][link-down][sys/switch-B/slot-1/switch-ether/port-3] ether port 3 on fabric interconnect B gwyn state: link-down, reason: Link failure or not-connected
Oct 26 16:32:30 pgce0-su-1w-a.tia.sn.local : 1001 Oct 26 15:32:30 VAN: %OTIS-3-PORT_FAILED: [D0047][major][port-failed][sys/switch-B/slot-1/switch-ether/port-3] ether port 3 on fabric interconnect B gwyn state: link-up, reason: Link failure or not-connected
Glenn, I think we've exchanged notes about the app in the past. Hope your deployment is going well!
Quick heads up that Spunk has released a new and fully supported Add-on for Cisco UCS which which available at https://splunkbase.splunk.com/app/2731/.
Cisco's Bill Williams posted a nice write-up on the new integration at http://blogs.cisco.com/datacenter/splunk-integration-for-ucs.
(I know ... doesn't address your question in the least. But thought it would be useful for you & other folks looking at this post to know that a more current integration is available.)
Glenn, don't forget to "accept" an an answer, it really helps out the community to mark things appropriately.
Just posted: http://splunk-base.splunk.com/apps/54084/splunk-app-for-cisco-ucs
Sorry it took so long. 😉
Do check it out and let us know what you think. The app is in preview now, plenty of tome to make changes and add features. It will hit beta at our .cont event.
We just published v1.0 of the Cisco UCS app. Note that it does not do much with the syslog events, but instead works mostly with data from the UCS XML API. There is definitely value in the syslog stuff that comes out of UCS; in particular the event logs named "event" and "audit" in the UCS Manager. I have a few extractions and saved searches in the app for this data, but you could do a lot more.
I'm afraid I don't have a date yet. Contacting you off-site.
Great, thanks a lot. I am getting one of our guys to evaluate this now and we'll get back to you with any feedback. EDIT - just noticed something... it looks like it requires Windows? We barely run Windows here, do you have an ETA on the python port?
Here is some basic field extraction.
### inputs.conf
[monitor:///var/log/rsyslog-ucs]
followTail = 0
# Note that we set the host name in the log file name.
# You could alternatively extract it inside the log on each line.
host_regex = \/([\w\d\-]+?)[_\.].*\.log
index = rsyslog
sourcetype = UCS_Syslog
### props.conf
[UCS_Syslog]
SHOULD_LINEMERGE = false
MAX_EVENTS = 1
REPORT-UCS_Component = UCS_Component
REPORT-UCS_Severity = UCS_Severity
REPORT-UCS_Fault_Code = UCS_Fault_Code
REPORT-UCS_Process_PID = UCS_Process_PID
### transforms.conf
[UCS_Component]
CLEAN_KEYS = 1
MV_ADD = 0
REGEX = (?i)^(?:[^ ]* ){10}([^:]+)
FORMAT = UCS_Component::$1
[UCS_Severity]
CLEAN_KEYS = 1
MV_ADD = 0
REGEX = \[(Cleared|Condition|Critical|Info|Major|Minor|Warning)\]
FORMAT = UCS_Severity::$1
[UCS_Fault_Code]
CLEAN_KEYS = 1
MV_ADD = 0
REGEX = .*\[(F\d+)\]
FORMAT = UCS_Fault_Code::$1
[UCS_Process_PID]
CLEAN_KEYS = 1
MV_ADD = 0
REGEX = .* (\w+)\[(\d+)\]
FORMAT = UCS_Process::$1 UCS_PID::$2
This looks good...
No. It looks like a do-it-ourselves job. I haven't done it myself yet due to other priorities.
Hi,
Did anyone solve this? I am also trying now to analyse Cisco UCS syslog files, and any pointers would be most welcome 🙂
Cheers, Assaph