Getting Data In

Why is my host_segment monitor configuration not working properly?

edwardrose
Contributor

Ok I read the documentation about using host_segment but it does not seem to be working properly

Here is my stanza:

[monitor:///var/log/gns-dmz/network/]
host_segment = 5
sourcetype = cisco:iso
source = syslog
index = network

Under the /var/log/gns-dmz/network there are like 10 directories which are the host names of the cisco switches/routers which are sending their syslogs to this syslog-ng server. The stanza shows the host name as the name of the syslog-ng server and not the host_segment. What I am doing wrong?

thanks
ed

0 Karma
1 Solution

ssmoot_splunk
Splunk Employee
Splunk Employee

The reason why this is not working for you is that host_segment uses the source metadata to extract the segment from. Since you are overriding the source by defining source = syslog, the default host will be used.
Try removing the source definition and you should be good to go.

View solution in original post

ssmoot_splunk
Splunk Employee
Splunk Employee

The reason why this is not working for you is that host_segment uses the source metadata to extract the segment from. Since you are overriding the source by defining source = syslog, the default host will be used.
Try removing the source definition and you should be good to go.

View solution in original post

edwardrose
Contributor

Yeah I found that out yesterday. I removed the source line and everything started working as it should.

thanks
ed

0 Karma

mikaelbje
Motivator

The host_segment looks correct, but the sourcetype in your monitor stanza says cisco:iso, not cisco:ios. You might want to correct that.

0 Karma

edwardrose
Contributor

Actually have have two separate host_segment stanzas that are not working on this particular host

[monitor:///var/log/gns-dmz/bluecat/]
host_segment = 5
index = bluecat
sourcetype = dns_syslog
source = syslog

So not sure what I am doing wrong

0 Karma

edwardrose
Contributor

I fixed the sourcetype, which did nothing for my issue about the host_segment not working.

[monitor:///var/log/gns-dmz/network/]
host_segment = 5
sourcetype = cisco:ios
source = syslog
index = network

I have 14 different sub-directories under /var/log/gns-dmz/network (all separate devices) and it still only shows up as ebs-syslog01 (name of syslog-ng server). Not sure why it isn't working.

0 Karma

mikaelbje
Motivator

You should post comments on my answer, not answers to your question. This is not a forum, but a way to ask a question and get answers 🙂

  1. List the diretory contents of /var/log/gns-dmz/network and post them here.

    1. Do you have another monitor stanza for /var/log/? This might be set up in i.e. the Splunk App for NIX . If this is the case it means you are monitoring the same files twice. Splunk will only index them once because it checks for duplicates before indexing.
0 Karma

edwardrose
Contributor
[root@ebs-syslog01 network]# ls -lart
total 64
drwxr-xr-x  2 root root 4096 Dec  3 11:24 mamwangw0
drwxr-xr-x  2 root root 4096 Dec  3 11:33 amywangw0
drwxr-xr-x  2 root root 4096 Dec  3 11:33 wvwangw0a-loopback0
drwxr-xr-x  2 root root 4096 Dec  3 11:34 139.181.40.21
drwxr-xr-x  2 root root 4096 Dec  3 11:34 ieswangw0b
drwxr-xr-x  2 root root 4096 Dec  3 11:34 194.196.65.17
drwxr-xr-x  2 root root 4096 Dec  3 11:34 rumwangw0
drwxr-xr-x  2 root root 4096 Dec  3 11:34 tokwangw0
drwxr-xr-x  2 root root 4096 Dec  3 11:34 ieswangw0a
drwxr-xr-x  2 root root 4096 Dec  3 11:34 hsvwangw0-uloop
drwxr-xr-x  2 root root 4096 Dec  3 11:35 wvwangw0b-loopback0
drwxr-xr-x  2 root root 4096 Dec  3 11:35 wana-53-230-12-196
drwxr-xr-x  2 root root 4096 Dec  3 11:35 hsiwangw0
drwxr-xr-x  2 root root 4096 Dec  3 11:35 tw212-static81
drwxr-xr-x  4 root root 4096 Dec 19 14:28 ..
drwxr-xr-x 16 root root 4096 Dec 19 14:29 .
[root@ebs-syslog01 network]# 

Yes I have Splunk_TA_Nix installed on this server as well.

0 Karma

edwardrose
Contributor

I am assuming since Splunk_TA_Nix is installed and monitoring the following

[monitor:///var/log]
whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out)
blacklist=(lastlog|anaconda\.syslog)
disabled = 1

That I am not getting the host_segment to work as you have stated. I will have to change the directory to one that is not being monitored or disable the Splunk_TA_Nix one, correct?

0 Karma

mikaelbje
Motivator

Hmm, I see it's disabled so it shouldn't really matter. Try monitoring another directory outside of /var/log

The host_segment you have looks OK though. Tried a different Splunk version in case it's a bug?

0 Karma

edwardrose
Contributor

I tried to use /var/testing/devices and then copied the 14 or so directories over and it seems to be working properly now. Not sure why it isn't working in /var/log/gns-dmz

-thanks
ed

0 Karma

mikaelbje
Motivator

Great to hear that you got it working. It would be good if you could mark my answer as accepted 🙂

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.