Solved: Can the Cisco Network App for Splunk Enterprise us...

markschoonover · ‎07-15-2015

Thanks for reading. We use Syslog-NG for our Cisco devices to push syslog messages to. I've read the directions on installation and the help file states Cisco devices need to have Splunk as a syslog target. Can the app use input from syslog-ng instead? If so, how would this be configured?

mikaelbje · ‎07-15-2015

Sure, just set up a monitor stanza to read the log files generated by syslog-ng.

I.e.
[monitor:///var/log/remote/cisco_ios/*/syslog]
host_segment = 5
sourcetype = cisco:ios

If the logs are not already identified as IOS events and placed in their own directory such as in the example, replace sourcetype = cisco:ios with sourcetype = syslog
The Add-on will then take care of changing the sourcetype

View solution in original post

mikaelbje · ‎07-15-2015

Sure, just set up a monitor stanza to read the log files generated by syslog-ng.

I.e.
[monitor:///var/log/remote/cisco_ios/*/syslog]
host_segment = 5
sourcetype = cisco:ios

If the logs are not already identified as IOS events and placed in their own directory such as in the example, replace sourcetype = cisco:ios with sourcetype = syslog
The Add-on will then take care of changing the sourcetype

Can the Cisco Network App for Splunk Enterprise use input from Syslog-ng instead of having Splunk as a syslog target?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life