All Apps and Add-ons

AVI logs don't appear to be forwarding to Splunk

chrismmckenna
New Member

We would like to use the AVI Networks App for Splunk which I’m aware requires use of the associated Add-on.

We are using AVI Vantage platform version 18.2.5.
We are using Splunk Enterprise version 7.2.6.

I have used these sources to find out how to configure the add-on:
https://splunkbase.splunk.com/app/4155/#/details
https://avinetworks.com/docs/18.1/streaming-avi-logs-to-external-server/

I have created an AVI Vantage analytics profile with the following log streaming settings. I have used the defaults for all values with the following exceptions:

alt text

This is output from the command 'ss -tuw' on one of the AVI controllers:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 172.xxx.xxx.2:35338 10.xxx.xxx.140:5054
tcp ESTAB 0 0 172.xxx.xxx.2:35336 10.xxx.xxx.140:5054
tcp ESTAB 0 0 172.xxx.xxx.2:35340 10.xxx.xxx.140:5054

Netcat output from AVI controller (nc -z -v splunk-1.tvm.foo.bar.bay 9998)
Connection to splunk-1.tvm.foo.bar.bay 9998 port [tcp/*] succeeded!

I’ve created a Splunk TCP data input as follows (/opt/splunk/etc/apps/TA-avi-vantage-add-on/local/inputs.conf):
[tcp://9998]
connection_host = ip
index = avi-data
sourcetype = syslog

After creating the input, I restarted Splunk. I can see that splunkd is listening on the port (sudo lsof -i -P -n | grep LISTEN)
splunkd 23104 splunk 65u IPv4 957961696 0t0 TCP *:9998 (LISTEN)

Splunk has not received any data from AVI into Splunk and am wondering if you are aware of some steps I may have missed or if there are some tips you can offer to get this working. Does something need to be restarted on the AVI controller or in the UI?

0 Karma

chrismmckenna
New Member

Here are nmap results from the Splunk server.

Starting Nmap 6.40 ( http://nmap.org ) at 2020-03-18 02:24 UTC
Nmap scan report for avi-controller-1.tvm.aws.bfnet.us (10.235.2.140)
Host is up (0.00033s latency).
Not shown: 1951 closed ports, 42 open|filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
5054/tcp open rlm-admin
8443/tcp open https-alt
123/udp open ntp
161/udp open snmp
MAC Address: 0E:A0:18:4C:8E:C9 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.40%E=4%D=3/18%OT=22%CT=1%CU=2%PV=Y%DS=1%DC=D%G=Y%M=0EA018%TM=5E
OS:718A70%P=x86_64-redhat-linux-gnu)SEQ(SP=101%GCD=1%ISR=109%TI=Z%CI=I%II=I
OS:%TS=8)OPS(O1=M2301ST11NW7%O2=M2301ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11N
OS:W7%O5=M2301ST11NW7%O6=M2301ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=6
OS:8DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T
OS:=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R
OS:%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=
OS:40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!