Activity Feed
- Posted Re: Wrong host identifier in SYSLOG messages on Reporting. 01-29-2014 04:28 PM
- Posted Re: Wrong host identifier in SYSLOG messages on Reporting. 01-29-2014 03:59 PM
- Posted Re: Wrong host identifier in SYSLOG messages on Reporting. 01-29-2014 02:49 PM
- Posted Re: Wrong host identifier in SYSLOG messages on Reporting. 01-29-2014 01:49 PM
- Posted Re: Wrong host identifier in SYSLOG messages on Reporting. 01-28-2014 02:18 PM
- Posted Re: Wrong host identifier in SYSLOG messages on Reporting. 01-28-2014 01:51 PM
- Posted Wrong host identifier in SYSLOG messages on Reporting. 01-28-2014 12:27 PM
- Tagged Wrong host identifier in SYSLOG messages on Reporting. 01-28-2014 12:27 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
01-29-2014
04:28 PM
Here are four lines from a "Show logging" directly from my Cisco router -
Jan 29 16:01:56.330 pst: %SEC-6-IPACCESSLOGP: list RESTRICT-SSH-IN denied tcp 82.221.102.177(35608) -> 173.160.208.161(22), 1 packet
Jan 29 16:02:40.218 pst: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: fred] [Source: 10.129.7.192] [localport: 22] [Reason: Login Authentication Failed] at 16:02:40 pst Wed Jan 29 2014
The 1st message shows properly in Splunk. The 2nd shows a host of "pst". The source type is "SYSLOG".
... View more
01-29-2014
03:59 PM
That was my thought as well - yes we are in the PST time zone. What puzzles me is that the source type "syslog" does just fin figuring out all the other messages but it has a hard time with these.
... View more
01-29-2014
01:49 PM
Thanks for your assistance. I modified the input.conf file in ...system\local. In it I added the following lines -
[tcp]
acceptFrom=*
connection_host=ip
connection_host was set to dns for TCP. Almost all of my SYSLOG is coming in via VPN tunnels and TCP based SYSLOG works where UDP based SYSLOG does not.
I made the changes and restarted the Splunkd service (just in case) but but new SYSLOG messages of this type are still coming in with a host name of "pst". All other SYSLOG messages seem to have the correct host ip address.
... View more
01-28-2014
02:18 PM
A quick search host=pst | table _raw reveals that the source IP address isn't in the data stream. Reading the doc above points to the need to assign the source type on a per-event rather than a per-source basis. This was simple SYSLOG data coming in via UDP and TCP. THis is new territory for me - surely someone has run into this before and has already forged this trail. Is there some setting on the Switch that I need to manipulate or is this entirely done in Splunk?
... View more
01-28-2014
01:51 PM
I submitted a "host=pst | table _raw" and looked at the output. It seems the host info is not there. Not sure where this leaves me.
... View more
01-28-2014
12:27 PM
I am new to Splunk and I am sure my question is not new to the community. I have 220 Cisco endpoints reporting SYSLOG data to Splunk. All seems to be working well - except the logging of successful and failed login attempts. These messages are making it to Splunk but they are being identified as coming from host "pst" - not the host's IP address. Subsequently I cannot tell which message belongs to which host. I have about 100,000 of these failed login messages and I need to deal with them but I can't tell which Cisco devices are under attack.
... View more
