Solved: Why is my host_segment monitor configuration not w...

edwardrose · ‎12-19-2014

Ok I read the documentation about using host_segment but it does not seem to be working properly

Here is my stanza:

[monitor:///var/log/gns-dmz/network/]
host_segment = 5
sourcetype = cisco:iso
source = syslog
index = network

Under the /var/log/gns-dmz/network there are like 10 directories which are the host names of the cisco switches/routers which are sending their syslogs to this syslog-ng server. The stanza shows the host name as the name of the syslog-ng server and not the host_segment. What I am doing wrong?

thanks
ed

ssmoot_splunk · ‎01-07-2015

The reason why this is not working for you is that host_segment uses the source metadata to extract the segment from. Since you are overriding the source by defining source = syslog, the default host will be used.
Try removing the source definition and you should be good to go.

View solution in original post

ssmoot_splunk · ‎01-07-2015

The reason why this is not working for you is that host_segment uses the source metadata to extract the segment from. Since you are overriding the source by defining source = syslog, the default host will be used.
Try removing the source definition and you should be good to go.

edwardrose · ‎01-07-2015

Yeah I found that out yesterday. I removed the source line and everything started working as it should.

thanks
ed

mikaelbje · ‎12-19-2014

The host_segment looks correct, but the sourcetype in your monitor stanza says cisco:iso, not cisco:ios. You might want to correct that.

edwardrose · ‎01-05-2015

Actually have have two separate host_segment stanzas that are not working on this particular host

[monitor:///var/log/gns-dmz/bluecat/]
host_segment = 5
index = bluecat
sourcetype = dns_syslog
source = syslog

So not sure what I am doing wrong

edwardrose · ‎01-05-2015

I fixed the sourcetype, which did nothing for my issue about the host_segment not working.

[monitor:///var/log/gns-dmz/network/]
host_segment = 5
sourcetype = cisco:ios
source = syslog
index = network

I have 14 different sub-directories under /var/log/gns-dmz/network (all separate devices) and it still only shows up as ebs-syslog01 (name of syslog-ng server). Not sure why it isn't working.

mikaelbje · ‎01-05-2015

You should post comments on my answer, not answers to your question. This is not a forum, but a way to ask a question and get answers 🙂

List the diretory contents of /var/log/gns-dmz/network and post them here.
1. Do you have another monitor stanza for /var/log/? This might be set up in i.e. the Splunk App for NIX . If this is the case it means you are monitoring the same files twice. Splunk will only index them once because it checks for duplicates before indexing.

edwardrose · ‎01-05-2015

[root@ebs-syslog01 network]# ls -lart
total 64
drwxr-xr-x  2 root root 4096 Dec  3 11:24 mamwangw0
drwxr-xr-x  2 root root 4096 Dec  3 11:33 amywangw0
drwxr-xr-x  2 root root 4096 Dec  3 11:33 wvwangw0a-loopback0
drwxr-xr-x  2 root root 4096 Dec  3 11:34 139.181.40.21
drwxr-xr-x  2 root root 4096 Dec  3 11:34 ieswangw0b
drwxr-xr-x  2 root root 4096 Dec  3 11:34 194.196.65.17
drwxr-xr-x  2 root root 4096 Dec  3 11:34 rumwangw0
drwxr-xr-x  2 root root 4096 Dec  3 11:34 tokwangw0
drwxr-xr-x  2 root root 4096 Dec  3 11:34 ieswangw0a
drwxr-xr-x  2 root root 4096 Dec  3 11:34 hsvwangw0-uloop
drwxr-xr-x  2 root root 4096 Dec  3 11:35 wvwangw0b-loopback0
drwxr-xr-x  2 root root 4096 Dec  3 11:35 wana-53-230-12-196
drwxr-xr-x  2 root root 4096 Dec  3 11:35 hsiwangw0
drwxr-xr-x  2 root root 4096 Dec  3 11:35 tw212-static81
drwxr-xr-x  4 root root 4096 Dec 19 14:28 ..
drwxr-xr-x 16 root root 4096 Dec 19 14:29 .
[root@ebs-syslog01 network]#

Yes I have Splunk_TA_Nix installed on this server as well.

edwardrose · ‎01-05-2015

I am assuming since Splunk_TA_Nix is installed and monitoring the following

[monitor:///var/log]
whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out)
blacklist=(lastlog|anaconda\.syslog)
disabled = 1

That I am not getting the host_segment to work as you have stated. I will have to change the directory to one that is not being monitored or disable the Splunk_TA_Nix one, correct?

mikaelbje · ‎01-05-2015

Hmm, I see it's disabled so it shouldn't really matter. Try monitoring another directory outside of /var/log

The host_segment you have looks OK though. Tried a different Splunk version in case it's a bug?

edwardrose · ‎01-05-2015

I tried to use /var/testing/devices and then copied the 14 or so directories over and it seems to be working properly now. Not sure why it isn't working in /var/log/gns-dmz

-thanks
ed

mikaelbje · ‎01-05-2015

Great to hear that you got it working. It would be good if you could mark my answer as accepted 🙂

Why is my host_segment monitor configuration not working properly?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!