Hi. I've tried to get Splunk to understand syslog messages coming from a Cisco Mobility Express setup. Mobility Express (ME) is the built-in controller solution into, in this setup, 3 AP3802I access points running 8.10.171.0 I have been successful at getting and displaying data from a C2960L-8PS switch running IOS 15. But not from any access point (AP). I've setup syslogging from the ME directly to a single instance Splunk demo lab running on Ubuntu with rsyslog. I can see data being logged into /data/syslog/192.168.40.20/ -rw-r--r-- 1 syslog syslog 9690 Sep 4 15:54 20230904-15.log -rw-r--r-- 1 syslog syslog 41100 Sep 4 16:58 20230904-16.log -rw-r--r-- 1 syslog syslog 9192 Sep 4 17:53 20230904-17.log Example of syslog messages are: 2023-08-29T05:48:04.090627+00:00 <133>SampleSite: *emWeb: Aug 29 07:48:03.431: %AAA-5-AAA_AUTH_ADMIN_USER: aaa.c:3334 Authentication succeeded for admin user 'example' on 100.40.168.192 2023-09-04T17:01:52.684140+02:00 <44>SampleSite: *apfMsConnTask_0: Sep 04 17:01 :52.495: %APF-4-PROC_ACTION_FAILED: apf_80211k.c:825 Could not process 802.11 Ac tion. Received RM 11K Action frame through incorrect AP from mobile station. Mob ile:1A:4A:FA:F9:BA:C6. 2023-09-04T17:01:52.718781+02:00 <44>SampleSite: *Dot1x_NW_MsgTask_0: Sep 04 17 :01:52.530: %LOG-4-Q_IND: apf_80211k.c:825 Could not process 802.11 Action. Rece ived RM 11K Action frame through incorrect AP from mobile station. Mobile:1A:4A: FA:F9:BA:C6. I've installed TA-cisco_ios from Splunkbase. In the top of my etc/apps/search/local/inputs.conf I've added: [monitor:///data/syslog/udp/192.168.40.20] disabled = false host = ciscome.example.net sourcetype = cisco:wlc #sourcetype = cisco:ap index = default For switches cisco:ios works fine, but I cannot get cisco:wlc or cisco:ap to process data it seems. Has anyone used Cisco Mobility Express with Splunk and gotten anything usefull out of the logs? Am I doing it right? Thanks for any tips. ... View more