- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Cisco Networks Add-on for Splunk Enterprise: m...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm about to install the Cisco Networks App and Add-On into our environment, and I'm a bit new with Splunk. What has me a bit concerned are these two stanzas in the props.conf:
[syslog]
TRANSFORMS-force_sourcetype_for_cisco_ios = force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_ios-xr, force_sourcetype_for_cisco_ios-xe
# VERY experimental for RFC5424 support
[rfc5424_syslog]
TRANSFORMS-force_sourcetype_for_cisco_ios = force_sourcetype_for_cisco_ios-rfc5424
Do I have it right - that these will perform index-time changes to any records with "syslog" and "rfc5424-syslog" types? Changing them to "cisco:asa"?
I'm not certain that I won't end up with "syslog" records which aren't related to the Cisco IOS. Could I instead just set the sourcetype manually for the input, and then remove the above from the config?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're right that those props.conf stanzas may make index-time changes but if you review the specific transforms in transforms.conf you'll find that they're fairly specific and shouldn't improperly capture other events. That said, I think you have the right idea about setting the sourcetype manually if you can. When possible, I prefer to have system owners send different types of data to different syslog ports for this reason. Each port is mapped to a specific file on the syslog server that indicates which index and sourcetype that data should go to.
If you have other data being sourcetyped as syslog and want to make absolutely sure you don't end up with mismatched sourcetypes due to these transforms, consider creating a "local" folder under TA-cisco_ios, create a file called props.conf there, and add this config:
[syslog]
TRANSFORMS-force_sourcetype_for_cisco_ios =
[rfc5424_syslog]
TRANSFORMS-force_sourcetype_for_cisco_ios =
This should effectively disable the transforms and won't get clobbered if/when you update the Add-On.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're right that those props.conf stanzas may make index-time changes but if you review the specific transforms in transforms.conf you'll find that they're fairly specific and shouldn't improperly capture other events. That said, I think you have the right idea about setting the sourcetype manually if you can. When possible, I prefer to have system owners send different types of data to different syslog ports for this reason. Each port is mapped to a specific file on the syslog server that indicates which index and sourcetype that data should go to.
If you have other data being sourcetyped as syslog and want to make absolutely sure you don't end up with mismatched sourcetypes due to these transforms, consider creating a "local" folder under TA-cisco_ios, create a file called props.conf there, and add this config:
[syslog]
TRANSFORMS-force_sourcetype_for_cisco_ios =
[rfc5424_syslog]
TRANSFORMS-force_sourcetype_for_cisco_ios =
This should effectively disable the transforms and won't get clobbered if/when you update the Add-On.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect! I'm probably being overcautious (for a bunch of reasons), but this solution is exactly what I need.
I also discovered that my system owner won't be separating his Cisco syslog data, so the combination of a unique sourcetype and the default transforms in the app should get me to Happy Days.
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
