All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

TA-cisco_ios picking up events from Juniper switches

bochmann
Path Finder
‎11-26-2014 08:22 AM

I have noticed that the eventtype cisco_ios-diag in TA-cisco_ios matches on some of the log file entries generated by our Juniper switches (primarily log lines matching facility=KERN).

As far as I have traced this through TA-cisco_ios, force_sourcetype_for_cisco_ios in the TA's transforms.conf matches on some JunOS log entries (and overwrites our custom source type). I don't have a good idea on how to exclude these log lines yet, though - especially in a way that could be included into the TA so we don't have to apply a local fix after every update...

Did anyone run into this yet and has adapted the TA-cisco_ios ruleset?

Example Juniper log entry:

Nov 26 14:09:48 jp45-xxx /kernel: %KERN-5-KERN_LACP_INTF_STATE_CHANGE: lacp_update_state_userspace: cifd xe-0/0/33 - CD state - ready to carry traffic

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mikaelbje
Motivator
‎11-26-2014 08:44 AM

I'm the app developer and have to say that this certainly interesting. I don't have any experience with JunOS at all and didn't know that its log format looks this much like the IOS format.

I've had a look at the transform for the syslog sourcetype in the TA and can't really find a way to be any less particular in the regex than I already am in order to match Cisco IOS events .

What I'd suggest since your environment contains both JunOS and IOS is to enable two separate UDP inputs on different ports on your splunk server/syslog server, one for sourcetype cisco:ios and the other for junos and then setting your devices to log to these ports. That way you have the events separated already and not coming in as the syslog sourcetype.

What you could then do is disable the transform that changes the sourcetype from syslog to cisco:ios to the following in TA-cisco_ios/local/transforms.conf:


[force_sourcetype_for_cisco_ios]
REGEX = ((?!))

[force_sourcetype_for_cisco_ios-xr]
REGEX = ((?!))

[force_sourcetype_for_cisco_ios-xe]
REGEX = ((?!))

It's totally untested though. Not sure if there's a better way to solve this. Let me know if you succeed.

View solution in original post

Reply
Solved! Jump to solution
Solution

mikaelbje
Motivator
‎11-26-2014 08:44 AM

I'm the app developer and have to say that this certainly interesting. I don't have any experience with JunOS at all and didn't know that its log format looks this much like the IOS format.

I've had a look at the transform for the syslog sourcetype in the TA and can't really find a way to be any less particular in the regex than I already am in order to match Cisco IOS events .

What I'd suggest since your environment contains both JunOS and IOS is to enable two separate UDP inputs on different ports on your splunk server/syslog server, one for sourcetype cisco:ios and the other for junos and then setting your devices to log to these ports. That way you have the events separated already and not coming in as the syslog sourcetype.

What you could then do is disable the transform that changes the sourcetype from syslog to cisco:ios to the following in TA-cisco_ios/local/transforms.conf:


[force_sourcetype_for_cisco_ios]
REGEX = ((?!))

[force_sourcetype_for_cisco_ios-xr]
REGEX = ((?!))

[force_sourcetype_for_cisco_ios-xe]
REGEX = ((?!))

It's totally untested though. Not sure if there's a better way to solve this. Let me know if you succeed.

Reply
Solved! Jump to solution

mikaelbje
Motivator
‎11-26-2014 08:54 AM

You could probably also achieve the same doing it in TA-cisco_ios/local/props.conf

[syslog]
TRANSFORMS-force_sourcetype_for_cisco_ios = REFERENCING_AN_UNEXISTING_TRANSFORM

Maybe this also works (which is even better): 

TRANSFORMS-force_sourcetype_for_cisco_ios =
0 Karma
Reply
Solved! Jump to solution

bochmann
Path Finder
‎11-27-2014 04:49 AM

Thanks - I think I'll try that - we set a sourcetype directly on our inputs, so I don't usually need to force a different sourcetype based on a regex.
The other possibility would be to exclude data that already has certain sourcetypes set.

Also a general thank you for publishing this app - it has already been useful to us 🙂

Reply
Solved! Jump to solution

mikaelbje
Motivator
‎11-27-2014 11:17 PM

I hope you find a feasible solution. The best way to thank me is accepting the answer/and or rating the apps 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...