Getting Data In

Monitor twice the same directory

StefanW
Path Finder

Hello,

i have syslog-ng running and got all my syslog messages from my access points and cisco switches to the same directory. But the access points should go to another index as the switch logs.

so i created to monitor stanzas, but the second stanza doesnt work.

 

#log cisco switches
[monitor:///var/syslog/logavaya/*/*.log]
host_segment = 4
disabled = false
index = cisco
sourcetype = syslog
blacklist = \d-\d\d\.kuechen\.de\.log$

#log avaya access points
[monitor:///var/syslog/logavaya/*/./*.log]
host_segment = 4
disabled = false
index = avaya
sourcetype = avaya:ap
whitelist = \d-\d\d\.kuechen\.de\.log$

 

The question is, how can i input all files into two index with different sourcetypes?

Labels (2)
0 Karma
1 Solution

StefanW
Path Finder

ok, i solved it with wildcards

 

[monitor:///var/syslog/logavaya/*/*-*.kuechen.de.log]

View solution in original post

0 Karma

StefanW
Path Finder

ok, i solved it with wildcards

 

[monitor:///var/syslog/logavaya/*/*-*.kuechen.de.log]
0 Karma

scelikok
SplunkTrust
SplunkTrust

Maybe the best idea is filtering with syslog-ng based on message content and write to a different folder.

log {
    source(s1);
    filter { match("cisco" value("MESSAGE")) };
    destination(d_cisco);
};
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @StefanW,

Regex does work on monitor starting from the next segment after * or ... .

The reason of the problem is, the first stanza already covers *.log files, if you can write a regex to cisco stanza it will work. If you can tell us about the files names for cisco and avaya we can offer regex. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

StefanW
Path Finder

The Avaya access point logs are really simple. Like 1-01.kuechen.de

the switches have hostnames which are complex and have no really a pattern, because of that I blacklisted the avaya log files. 

0 Karma

StefanW
Path Finder

I tried this first, but as I know, regex is not possible in the path part of the monitor. 

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @StefanW,

You should use different stanzas, please try below. If you can define regex for cisco switches, it is better.

#log cisco switches
[monitor:///var/syslog/logavaya/*/*.log]
host_segment = 4
disabled = false
index = cisco
sourcetype = syslog
blacklist = \d-\d\d\.kuechen\.de\.log$

#log avaya access points
[monitor:///var/syslog/logavaya/*/./\d-\d\d\.kuechen\.de\.log$]
host_segment = 4
disabled = false
index = avaya
sourcetype = avaya:ap

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...