Re: host=GMTS instead of hostname when using Cisco...

thaecker · ‎10-14-2010

Hi everybody,

i configured a Cisco switch with "login on-failure log" to log failed authentications to my splunk server. Unfortunately, these events have host=GMTS in splunk instead of the real hostname (host=switchname). Other events from the same switch do not have this problem.

These events look like:

<189>38677: switchname: 038673: Oct 14 12:11:02.419: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: username] [Source: 10.10.10.10] [localport: 22] at 12:11:02 GMTS Thu Oct 14 2010

Is there a way to fix this?

Many thanks in advance.

williamche · ‎10-14-2010

Sounds like the regex statement you're using to extract the host field is the cause... Can you publish your regex, it might help troubleshoot this problem.

Does this happens to every event containing the "GMTS" string towards the end of the line? Can you give an example of events where Splunk correctly extracted the host information?

Here's a regex that might work to extract the correct hostname:

REGEX = \<\d+\>\d+:\s+([^:]+):

Assuming that the hostname is always follow by a colon (":").

thaecker · ‎10-18-2010

I think it is the regex used in Manager >> Fields >> Field transformations >> syslog-host:

:\d\d\s+(?:\d+\s+|(?:user|daemon|local.?).\w+\s+)*[?(\w[\w.-]{2,})]?\s

Seems like only events related to ciscos "login on-failure log" contain the GMTS string, it happens to all of them.

An example event where splunk was able to determine the correct host information is:

<189>39428: 0.0.0.0: 039424: Oct 18 12:29:48.547: %SYS-5-CONFIG_I: Configured from console by username on vty0 (10.10.10.11)

host=GMTS instead of hostname when using Cisco Switch with login on-failure log

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases