Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get forwarded data into Splunk Enterprise?

eholz1
Contributor
‎07-18-2022 03:38 PM

Hello Members,

I have a basic question - I am not sure how to get data into splunk, into a custom index, use a source type, and then exrract fields. I have the add-0n installed for Cisco network devices, but not sure it is the correct app to use for my case.

I have a remote syslog server (running rsyslog) that builds log files for cisco switches and routers.

I have a universal forwarder installed on the syslog server, it forwards data to splunk IF I configure it

correctly.  I have tried configuring the Splunk receiver two ways: one using the "Forwarding and receiving" option from the "DATA" area - this works - but only allows showing data from the host sending the log info. And uses only 1 port, I am using 9997.

I have not seen how to set a data source or source type for the incoming data.

 

The second way seems to be using the "Data Inputs" part of the "DATA" area.  This seems to not be possible, as the data is coming from a Universaly forwarder not a Splunk Enterprise configured as a forwarder.

 

How can I assign a source type and index to the data that does come in from the host that is configured with port 997 as a receiver?  Sorry for such a confusing question,

Regards,

eholz1

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-18-2022 11:50 PM

Hi @eholz1,

let me understand:

  • you have an rsyslog server that receives data from cisco routers and switches and writes them in files,
  • you installed a Forwarder (Universal or Heavy?) on the syslog server,
  • You configured your Forwarder to send data to the Indexer,
  • you created an input that reads the files written by the rsyslog server,
  • you installed the Cisco-Add-On on the Forwarder,

Is this correct?

Now I have some additional questions?

  • data are written in files in the Forwarder?
  • did you installed the Cisco-Add-On also on Indexers and Search Heads?
  • Do you have data in Indexers?
  • are they correctly parsed?

As you can easily understand, I described the steps to configure the syslog input using rsyslog server.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-18-2022 11:50 PM

Hi @eholz1,

let me understand:

  • you have an rsyslog server that receives data from cisco routers and switches and writes them in files,
  • you installed a Forwarder (Universal or Heavy?) on the syslog server,
  • You configured your Forwarder to send data to the Indexer,
  • you created an input that reads the files written by the rsyslog server,
  • you installed the Cisco-Add-On on the Forwarder,

Is this correct?

Now I have some additional questions?

  • data are written in files in the Forwarder?
  • did you installed the Cisco-Add-On also on Indexers and Search Heads?
  • Do you have data in Indexers?
  • are they correctly parsed?

As you can easily understand, I described the steps to configure the syslog input using rsyslog server.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

eholz1
Contributor
‎07-21-2022 07:56 AM

Hello and thanks for the information,

I think I understand now. I am forwarding logs from my syslog server - using rsyslog. This is NOT a cisco device.

So, I will guess that using a source type of "cisco:ios" will not really give me the extraction for the IP address of a switch without using a field extraction from the event that comes from the syslog server.

But - if I should configure a switch or router to send its log files directly to splunk, and use the TA_cisco app or the cisco:ios source type the IP address would be available?>

Please clarify that for me.

thanks,

eholz1

 

 

Tags (3)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-21-2022 08:00 AM

Hi @eholz1,

are you receiving syslogs in an Heavy or Universal Forwarder?

If Universal , you need to install TA only on indexer.

If instead you  are using an Heavy Forwarder, it cooks data so you need to install the TA also on the HF.

Then check if the sourcetype you're using is the one used in the TA.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

eholz1
Contributor
‎07-21-2022 08:07 AM

Hello Giuseppe,

Wow fast response. I am using a Universal Forwarder on the syslog server - it forwards logs created and formattted using rsyslog.

I do have the TA installed on the Splunk indexer.

I will double check settings to insure I am using the correct source type from the TA

0 Karma
Reply
Solved! Jump to solution

eholz1
Contributor
‎07-19-2022 07:24 AM

Molto Grazie gusello,

I think I am also missing something about getting this to work...

I have a Universal Forwarder installed on the syslog server - uses rsyslog to write log files.

The syslog server/Universal forwarder does send data to the intexer but: I get garbage data - all

splunk-cooked-mode-v3 etc this is using a configuration set in inputs.conf

I do not have the cisco network app installed on the Universal Forwarder/syslog server.

I do have the cisco network app installed on the Splunk indexer.

 

I will go back and review my configuration,

thank you very much for the help.

 

0 Karma
Reply
Solved! Jump to solution

Roy_9
Motivator
‎07-18-2022 09:30 PM

@eholz1 Since you said you have installed cisco add-on, did you get a chance to look at the inputs.conf and enable it? if it is not available you need to develop an inputs.conf where you need to mention monitor stanza with the path and add sourcetype and index manually.

Reply
Solved! Jump to solution

eholz1
Contributor
‎07-19-2022 09:13 AM

Thanks for the response. It seems that I cannot configure an input with a  custom index and a source-type.

I have data coming in direct from the syslog server using this part of the DATA dialog window using port 9997:

eholz1_1-1658245990280.png

Thanks for the information,

eholz1

 

0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...