Getting Data In
Highlighted

If I have multiple Cisco devices sending syslog directly to Splunk with the same source and sourcetype, how do I view them separately?

New Member

Although we have multiple threads related to this topic, none are useful and confusing for newbies like me.

I have multiple Cisco devices (Routers, ASA firewall, ACS server) and all are sending syslog info directly to Splunk.

I'd really feel grateful if anybody can give step by step recommendation on how to view them separately?.

I am confused especially when the sourcetype and source are showing cisco:asa for all the devices that is being searched (say for example, i m looking logs for SMTP relay and it is showing sourcetype as ASA)

Please help me friends!

0 Karma
Highlighted

Re: If I have multiple Cisco devices sending syslog directly to Splunk with the same source and sourcetype, how do I view them separately?

Path Finder

in search and repporting app
build 3 search:
1 with source=first source file who is in your index and save it like eventype Routers

    index=my_index source=first_source_name 

2 index=my_index source=second_source_name save it like eventype asafirewall
3` index=my
index source=thirdsourcename` save it like eventype acs_server

0 Karma
Highlighted

Re: If I have multiple Cisco devices sending syslog directly to Splunk with the same source and sourcetype, how do I view them separately?

Splunk Employee
Splunk Employee

This is most likely because all of your devices are sending to the UDP input on the Splunk server, and you have that UDP input configured as cisco:asa. There are a few options to change this:

1) Create different UDP inputs for each device type:
UDP/514 = cisco:asa
UDP/515 = cisco:ios
UDP/515 = cisco:acs
UDP/516 = myunixsyslogfeeds

2) Alternatively, you can configure props and transforms to assign the sourcetype based on a match against the host content.

See this article for more information : http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Advancedsourcetypeoverrides

If you do either of the above, then at search time you can specifcy sourcetype=cisco:asa or sourcetype=cisco:acs etc.

0 Karma
Highlighted

Re: If I have multiple Cisco devices sending syslog directly to Splunk with the same source and sourcetype, how do I view them separately?

New Member

@esix_splunk : OK, 1st option is good but still I would like to choose second option:

The document says:

Create a stanza in transforms.conf that follows this syntax:

[] - my value here is ciscoacs & SMTP
REGEX = -
FORMAT = sourcetype:: -
DEST
KEY = MetaData:Sourcetype

Could you please decode the above stanza for cisco acs and SMTP relay logs?

0 Karma
Highlighted

Re: If I have multiple Cisco devices sending syslog directly to Splunk with the same source and sourcetype, how do I view them separately?

Path Finder

Or even better, install the technology addons for Cisco ASA and ACS, most of it works just fine out of the box 🙂
If you're using a distributed environment, install them on your forwarders.

https://apps.splunk.com/app/1620/
https://apps.splunk.com/app/1811/

0 Karma