Getting Data In

Does anyone have Cisco UCS field extractions and/or dashboards?

Glenn
Builder

We have new Cisco UCS kit and would like to process its syslogs in Splunk. Has anyone already established a set of field extractions or dashboards that they would like to share? Are there any plans for Splunk to provide any within the product? I think this is likely to be a hardware options that will grow significantly in popularity over time.

Example (scrubbed) logs:

Oct 26 16:33:02 pgce0-su-0j-b.tia.sn.local : 1001 Oct 26 16:33:02 LON: %OTIS-6-EVENT: [G2140204][054002][transition][internal][] [REX:STAGE:STALE-SUCCESS]: MARY profile configuration on peer fabric(REX-STAGE:rea:bev:OrrgYfpxhgnFowZerley:Peer)
Oct 26 16:32:52 pgce0-su-1w-a.tia.sn.local : 1001 Oct 26 15:32:52 VAN: %OTIS-3-PORT_FAILED: [D0047][cleared][port-failed][sys/switch-B/slot-1/switch-ether/port-3] ether port 3 on fabric interconnect B gwyn state: link-up, reason: Link failure or not-connected
Oct 26 16:32:52 pgce0-su-1w-a.tia.sn.local : 1001 Oct 26 15:32:52 VAN: %OTIS-3-PORT_FAILED: [D0047][cleared][port-failed][sys/switch-B/slot-1/switch-ether/port-1] ether port 1 on fabric interconnect B gwyn state: link-up, reason: Link failure or not-connected
Oct 26 16:32:51 tpr0-su-0j-b.tia.sn.local : 1001 Oct 26 16:32:51 LON: %USER-6-SYSTEM_EVE: checking user:svc_rhonda,!!!!!!!!!!!,03030.000000,01263.000000 - jefferson
Oct 26 16:32:51 tpr0-su-0j-b.tia.sn.local : 1001 Oct 26 16:32:51 LON: %USER-6-SYSTEM_EVE: checking user:max-dorinda,$1$K1jNUXPu$1bpsCt0/xDbsWSwrfHXi//,-1.000000,01263.000000 - jefferson
Oct 26 16:32:51 tpr0-su-0j-b.tia.sn.local : 1001 Oct 26 16:32:51 LON: %USER-6-SYSTEM_EVE: checking user:admin,$1$lnRiXnQe$VQ0qXvmM0CfaJBU36ZLMk/,-1.000000,01263.000000 - jefferson
Oct 26 16:32:51 tpr0-su-0j-b.tia.sn.local : 1001 Oct 26 16:32:51 LON: %USER-6-SYSTEM_EVE: checking user:ronnie,!,-1.000000,01263.000000 - jefferson
Oct 26 16:32:51 pgce0-su-0j-b.tia.sn.local : 1001 Oct 26 16:32:51 LON: %OTIS-3-OPERATIONAL_STATE_DOWN: [Y0231][major][operational-state-down][fabric/hal/A/tp-100] hal port-channel 100 on fabric interconnect A gwyn state: failed, reason: No operational members
Oct 26 16:32:46 pgce0-su-1w-a.tia.sn.local : 1001 Oct 26 15:32:46 VAN: %OTIS-3-MEMBERSHIP_DOWN: [T0025][cleared][membership-down][fabric/hal/A/tp-101/ai-slot-1-port-3] hal Member 1/3 of Port-Channel 101 on fabric interconnect A is down, membership: down
Oct 26 16:32:46 pgce0-su-1w-a.tia.sn.local : 1001 Oct 26 15:32:46 VAN: %OTIS-3-MEMBERSHIP_DOWN: [T0025][cleared][membership-down][fabric/hal/A/tp-101/ai-slot-1-port-1] hal Member 1/1 of Port-Channel 101 on fabric interconnect A is down, membership: down
Oct 26 16:32:30 pgce0-su-1w-a.tia.sn.local : 1001 Oct 26 15:32:30 VAN: %OTIS-3-LINK_DOWN: [Y0035][major][link-down][sys/switch-B/slot-1/switch-ether/port-3] ether port 3 on fabric interconnect B gwyn state: link-down, reason: Link failure or not-connected
Oct 26 16:32:30 pgce0-su-1w-a.tia.sn.local : 1001 Oct 26 15:32:30 VAN: %OTIS-3-PORT_FAILED: [D0047][major][port-failed][sys/switch-B/slot-1/switch-ether/port-3] ether port 3 on fabric interconnect B gwyn state: link-up, reason: Link failure or not-connected

friea
Splunk Employee
Splunk Employee

Glenn, I think we've exchanged notes about the app in the past. Hope your deployment is going well!

Quick heads up that Spunk has released a new and fully supported Add-on for Cisco UCS which which available at https://splunkbase.splunk.com/app/2731/.

Cisco's Bill Williams posted a nice write-up on the new integration at http://blogs.cisco.com/datacenter/splunk-integration-for-ucs.

(I know ... doesn't address your question in the least. But thought it would be useful for you & other folks looking at this post to know that a more current integration is available.)

0 Karma

halr9000
Motivator

Glenn, don't forget to "accept" an an answer, it really helps out the community to mark things appropriately.

0 Karma

halr9000
Motivator

Just posted: http://splunk-base.splunk.com/apps/54084/splunk-app-for-cisco-ucs

Sorry it took so long. 😉

Do check it out and let us know what you think. The app is in preview now, plenty of tome to make changes and add features. It will hit beta at our .cont event.

halr9000
Motivator

We just published v1.0 of the Cisco UCS app. Note that it does not do much with the syslog events, but instead works mostly with data from the UCS XML API. There is definitely value in the syslog stuff that comes out of UCS; in particular the event logs named "event" and "audit" in the UCS Manager. I have a few extractions and saved searches in the app for this data, but you could do a lot more.

http://splunk-base.splunk.com/apps/Splunk+App+for+Cisco+UCS

0 Karma

halr9000
Motivator

I'm afraid I don't have a date yet. Contacting you off-site.

0 Karma

Glenn
Builder

Great, thanks a lot. I am getting one of our guys to evaluate this now and we'll get back to you with any feedback. EDIT - just noticed something... it looks like it requires Windows? We barely run Windows here, do you have an ETA on the python port?

0 Karma

assaphmehr
Explorer

Here is some basic field extraction.

### inputs.conf

[monitor:///var/log/rsyslog-ucs]
followTail = 0
# Note that we set the host name in the log file name.
# You could alternatively extract it inside the log on each line.
host_regex = \/([\w\d\-]+?)[_\.].*\.log
index = rsyslog
sourcetype = UCS_Syslog


### props.conf

[UCS_Syslog]
SHOULD_LINEMERGE = false
MAX_EVENTS = 1
REPORT-UCS_Component = UCS_Component
REPORT-UCS_Severity = UCS_Severity
REPORT-UCS_Fault_Code = UCS_Fault_Code
REPORT-UCS_Process_PID = UCS_Process_PID


### transforms.conf

[UCS_Component]
CLEAN_KEYS = 1
MV_ADD = 0
REGEX = (?i)^(?:[^ ]* ){10}([^:]+)
FORMAT = UCS_Component::$1

[UCS_Severity]
CLEAN_KEYS = 1
MV_ADD = 0
REGEX = \[(Cleared|Condition|Critical|Info|Major|Minor|Warning)\]
FORMAT = UCS_Severity::$1

[UCS_Fault_Code]
CLEAN_KEYS = 1
MV_ADD = 0
REGEX = .*\[(F\d+)\]
FORMAT = UCS_Fault_Code::$1

[UCS_Process_PID]
CLEAN_KEYS = 1
MV_ADD = 0
REGEX = .* (\w+)\[(\d+)\]
FORMAT = UCS_Process::$1 UCS_PID::$2
0 Karma

Glenn
Builder

This looks good...

0 Karma

Glenn
Builder

No. It looks like a do-it-ourselves job. I haven't done it myself yet due to other priorities.

0 Karma

assaphmehr
Explorer

Hi,

Did anyone solve this? I am also trying now to analyse Cisco UCS syslog files, and any pointers would be most welcome 🙂

Cheers, Assaph

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...