Same sourcetype in different TA or APPs

pvuong · ‎07-05-2016

Hello,

I have a Splunk server which is Indexer and SearchHead. All of the logs are splited to different file by rsyslog in front process.
So i have all log in File format by host like :
/var/rsyslog/HOST1
/var/rsyslog/HOST2
/var/rsyslog/HOST3
/var/rsyslog/HOST4
All input to Splunk is indexed by monitor file method for one or several file (broadcast /var/rsyslog/*)

I installed three apps:
- splunk_app_for_nix( included SA-nix, Splunk_TA_nix) dedicated for Linux, Unix systeme event dashbord.
- cisco_ios (included TA-cisco_ios) dedicated for Cisco Switch event dashbord
- Splunk_CiscoSecuritySuite (included Splunk_TA_cisco-asa) dedicated for ASA event dashbord

My three input are :

For splunk_app_for_nix --> splunk_app_for_nix/local/inputs.conf
[monitor:///var/rsyslog/linux_HostName*]
disabled = false
host_segment = 4
index = index_nix
sourcetype = syslog
For cisco_ios ---> cisco_ios/local/inputs.conf
[monitor:///var/rsyslog/cisco_switch_HostName*]
disabled = false
host = cisco_swith_HostName
index = net_cisco
sourcetype = syslog
Splunk_CiscoSecuritySuite ---> Splunk_TA_cisco-asa/local/inputs.conf
[monitor:///var/rsyslog/cisco_asa_HostaName*]
disabled = false
host = cisco_asa_Hostname
index = net_asa
sourcetype = syslog

My Dashboard of cisco_ios and CiscoSecuritySuite are ok. All events are displayed correctly except the systeme nix .
All log in index "index_nix" arent extracted correctly in according to nix extract.

My question is how SPLUNK know the different "syslog" to use to adapt it to each kind of log : linux syslog, cisco ios syslog or cisco asa syslog ?

Any help is appreciated. Thanks by advance.

pvuong · ‎07-06-2016

Hi,

Thanks for your answer.

I wanted to add data to different index for each kind of equipment : index_nix, index_cisco, index_asa to allow the diffrent role permission.
I know that *nix need to create other index like "os", "unix_summary" ....

My question is how SPLUNK can know the different kind sourcetype of the same name "syslog" dedicated and configured in different APPs or TA ("syslog" of cisco ios or "syslog" of splunk_app_for_nix ? ). In this case, which file props.conf or transforms.conf that SPLUNK uses (the cisco one or the nix one ) ?

Thanks for any help

gfreitas · ‎07-06-2016

Hi pvuong,

Splunk just uses the sourcetype, source or host to extract the fields, if you have syslog than it will try to extract fields. It's not recommended to have multiple different styles of data with the same sourcetype. A normal way is to give names for your sourcetypes, for example for Cisco ASA, use sourcetype=cisco:asa, for Cisco router use sourcetype=cisco:router and so on.
Your props.conf and transforms.conf will be related to a sourcetype (most common usage).

pvuong · ‎07-07-2016

Ok Thanks for your answer. For Cisco asa and Cisoc ios, i have indeed used cisco:asa, cisco:ios for my cisco log sourcetype

So it not recommanded to have multiple different styles of data with the same sourcetype. Why the Apps or TA didn't configured with the default/props.conf to different kind of log like
nix_syslog
ios_syslog
postfix_syslog

instead of the same name "syslog" which can quite lead to confusion ...

Thanks for your answer.

Marie

gfreitas · ‎07-05-2016

Hi,

It's very common that Splunk uses the props.conf and transforms.conf files for configuration on how to extract fields. Does the *nix app requires you to add data to the index_nix or another index? In the README file of the app you can find more information.

Same sourcetype in different TA or APPs

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms