The dashboard is only showing me that I have 1 unique device. Digging into it, It looks like it is seeing the syslog server as the only device. I notice that some of the fields do have a "reported_hostname" field. How do I get those entries have have this to show this as the host field?
So I fixed my issue. I took the local7
out of the monitor stanza, and, this is the most important change, I changed recursive
to true.
So I fixed my issue. I took the local7
out of the monitor stanza, and, this is the most important change, I changed recursive
to true.
please provide more info, what kind of devices are those?
are you using any of the pre-built splunk apps?
also might be related to how you write data to syslog
hope it slightly helps
several different kinds. we have routers, switches, ASAs, ect.
We are using the "Cisco Networks App for Splunk Enterprise" and the "Splunk Add-on for Cisco Networks"
how do you bring the data from syslog to splunk? universal forwarder? directly over TCP / UDP?
universal forwarder
what is the sourcetype you have under your inputs stanza?
cisco:ios
do you have the TA installed?
https://splunkbase.splunk.com/app/1467/#/details
Yes, it is showing as being installed. Version 2.3.4.
can you kindly share your inputs.conf on the forwarder?
[default]
ignoreOlderThan = 10d
blacklist = \.(gz|bz2|z|zip)$
recursive = false
index = main
[monitor:///var/agency_logs/AgencySyslog]
sourcetype=cisco:ios
are all devices placing their data in one folder, AgencySyslog?
They are all placing their data into the single file AgencySyslog.
i believe this link will l be helpful:
https://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk.html
worthwhile to look at those as well:
http://www.georgestarcher.com/splunk-success-with-syslog/
https://www.function1.com/2012/05/syslog-collection-with-splunk
hope it helps
I will pass this information along and see what happens. Thank you.
so, they redid the directories and now we have this:
/var/agency_logs/cisco/ios/<hostname>/<syslogfacility-text>/<syslogseverity-text>/<year-month-day>.log
and I have that entered in as
[monitor:///var/agency_logs/cisco/ios/*/local7/*/*.log]
host_segment = 5
However, these are not being pulled in for some reason.
try this:
[monitor:///var/agency_logs/cisco/ios/.../local7/.../*.log]
host_segment = 5
Done. But it still isn't pulling the data in.
here is my inputs.conf
file:
[default]
ignoreOlderThan = 10d
blacklist = \.(gz|bz2|z|zip)$
recursive = false
index = main
# index = enterprise_90days
sourcetype = cisco:ios
crcSalt = <SOURCE>
# Windows platform specific input processor.
[monitor:///var/agency_logs/cisco/ios/.../local7/.../*.log]
host_segment = 5
# [monitor:///var/agency_logs/AgencySyslogWLC]
# [monitor:///var/agency_logs/AgencySyslog]
can you double check the full path to file and compare with examples here:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Data/Specifyinputpathswithwildcards
So I fixed my issue. I took the local7
out of the monitor stanza, and, this is the most important change, I changed recursive
to true.