All Apps and Add-ons

Cisco Networks Add-on for Splunk Enterprise: How to get reports to display my Cisco devices, not the hostname of my syslog server?

nychawk
Communicator

I've just installed the Cisco Networks Add-on and Cisco Networks App in my Splunk environment, and am quite pleased with the dashboards.

I am running into a problem with how my Cisco devices/hostnames are getting reported. My "unique devices", as well as every report that uses this field, is showing my syslog hostname instead of my Cisco devices.

The dashboard is using dvc to render reports, but my actual device IP addresses (I wish I could have them resolve to IP addresses) are getting stuffed into reported_hostname. Incidentally, my syslog server is receiving syslog traffic, and sending all into one folder for all IOS devices.

My UF's inputs.conf:

[monitor:///my-syslog-data/ios.log]
source=syslog
sourcetype=cisco:ios
host =

In addition to the universal forwarder, which is my syslog server, I've installed the add-on on my Indexers and search heads as well, no changes made on them.

I've tried making changes to my indexers' props.conf and transforms.conf, however, I seem to be missing the right changes needed to make my dashboards report each device uniquely versus all of them as my syslog host.

Thanks in advance,

-mi

0 Karma
1 Solution

mikaelbje
Motivator

Have a look at the thread below. The best solution would be to change your syslog server to log each device to its own directory and use host_segment=N in the inputs stanza

http://answers.splunk.com/answers/277657/can-the-cisco-network-app-for-splunk-enterprise-us-1.html#a...

Don't set your source! Only set the sourcetype to either cisco:ios or syslog . If you set it to syslog there's a transform called syslog-host which is going to be applied automatically that should take care of the host problem. dvc is just a field aliased to host.

If this doesn't work you need to check your syslog server settings. Some syslog servers append hostnames whenever a message is relayed and we don't want that.

Please accept or upvote helpful answers.

Mikael
Author of the Cisco Networks App

View solution in original post

diogofgm
SplunkTrust
SplunkTrust

props.conf

[your_sourcetype]
TRANSFORMS-hosts = real_host

transforms.conf

[real_host]
DEST_KEY = MetaData:Host
REGEX = 
FORMAT = host::$1

fill the regex with the expression needed to retrieve the host from your logs. should be the same used to retrieve reported_hostname.

More info from docs:
http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Overridedefaulthostassignments

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

FritzWittwer_ol
Contributor

As your forwarder is running on the syslog server, you could use the forwarder as your syslog server by defining an udp input as

[udp://514]
source=syslog
sourcetype=cisco:ios
connection_host = dns

Saves you some iops on the server and gives you the host in the event. In this case you have to logs of course only in splunk, and I can not say if the app will be able to deal with the events.

nychawk
Communicator

My syslog server parses logs for other than Cisco devices, which is feeding various sourcetypes.

I like this idea though, thank you.

0 Karma

mikaelbje
Motivator

Have a look at the thread below. The best solution would be to change your syslog server to log each device to its own directory and use host_segment=N in the inputs stanza

http://answers.splunk.com/answers/277657/can-the-cisco-network-app-for-splunk-enterprise-us-1.html#a...

Don't set your source! Only set the sourcetype to either cisco:ios or syslog . If you set it to syslog there's a transform called syslog-host which is going to be applied automatically that should take care of the host problem. dvc is just a field aliased to host.

If this doesn't work you need to check your syslog server settings. Some syslog servers append hostnames whenever a message is relayed and we don't want that.

Please accept or upvote helpful answers.

Mikael
Author of the Cisco Networks App

nychawk
Communicator

I changed sourcetype on my UF's inputs.conf from cisco:ios to syslog and now all my devices are showing up with their IP addresses; thank you.

0 Karma

FritzWittwer_ol
Contributor

how look the entries in the ios.log file, do they contain the correct hostname?

0 Karma

nychawk
Communicator

They contain IP address, patterns match those provided in the sample.log.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...