Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

host=GMTS instead of hostname when using Cisco Switch with login on-failure log

thaecker
New Member
‎10-14-2010 11:03 AM

Hi everybody,

i configured a Cisco switch with "login on-failure log" to log failed authentications to my splunk server. Unfortunately, these events have host=GMTS in splunk instead of the real hostname (host=switchname). Other events from the same switch do not have this problem.

These events look like:

<189>38677: switchname: 038673: Oct 14 12:11:02.419: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: username] [Source: 10.10.10.10] [localport: 22] at 12:11:02 GMTS Thu Oct 14 2010

Is there a way to fix this?

Many thanks in advance.

Tags (2)
0 Karma
Reply

williamche
Path Finder
‎10-14-2010 06:09 PM

Sounds like the regex statement you're using to extract the host field is the cause... Can you publish your regex, it might help troubleshoot this problem.

Does this happens to every event containing the "GMTS" string towards the end of the line? Can you give an example of events where Splunk correctly extracted the host information?

Here's a regex that might work to extract the correct hostname:

REGEX = \<\d+\>\d+:\s+([^:]+):

Assuming that the hostname is always follow by a colon (":").

0 Karma
Reply

thaecker
New Member
‎10-18-2010 10:42 AM

I think it is the regex used in Manager >> Fields >> Field transformations >> syslog-host:

:\d\d\s+(?:\d+\s+|(?:user|daemon|local.?).\w+\s+)*[?(\w[\w.-]{2,})]?\s

Seems like only events related to ciscos "login on-failure log" contain the GMTS string, it happens to all of them.

An example event where splunk was able to determine the correct host information is:

<189>39428: 0.0.0.0: 039424: Oct 18 12:29:48.547: %SYS-5-CONFIG_I: Configured from console by username on vty0 (10.10.10.11)

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...