Everything in the Cisco Networks App for Splunk Enterprise is working great, except the configuration audit. It shows ARCHIVING IS NOT ENABLED ON THIS DEVICE in the cmd field, however, logging is enabled, and if I click on the "error", I can actually see the raw data in the search. Is anybody else having this problem or familiar with the solution?
Paste sample logs as seen in Splunk, please. Otherwise I have to speculate what your issue might be.
It seems i have the same issue.
2 switches, i think the config is the same, but i see the message " ARCHIVING NOT ENABLED ON THIS DEVICE"
Ok, thanks for confirming. Let's verify a few things:
Mikael
Oh, I missed something. It looks like you are getting your syslog through TCP which is not fully supported at this time. Could you check if UDP works better?
Entry in the app:
2015-09-09 09:48:08 1.1.1.1 console username vty0 1.1.1.1 ARCHIVING NOT ENABLED ON THIS DEVICE
Actual log entries.
Sep 9 09:48:08 1.1.1.1 <189>213: Sep 9 08:53:07 CDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:username logged command:interface GigabitEthernet2/0/9
Sep 9 09:48:08 1.1.1.1 <189>214: Sep 9 08:53:07 CDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:username logged command:shutdown
Sep 9 09:48:08 1.1.1.1 <189>215: Sep 9 08:53:07 CDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:username logged command:no shutdown
Sep 9 09:48:08 1.1.1.1 <189>216: Sep 9 08:53:07 CDT: %SYS-5-CONFIG_I: Configured from console by username on vty0 (125.108.185.249)