All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Syslog server to Cisco IOS app?

watsontony80
New Member
‎12-10-2014 05:09 PM

I've inherited an old syslog-ng server that has about 10 years worth of Cisco reporting on text files sent via syslog. I'm new to the Splunk world and configured a Universal Forwarder on the syslog machine and pointed at my Enterprise Indexer with the Cisco IOS app installed. I can get the logs to the server, but they don't enter the Cisco IOS app as expected. They're showing up in my Index as hostname = syslogservername and sourcetype as unknown. I edited the inputs on the forwarder to have a monitor stanza with a sourcetype of cisco_ios, but it then doesn't send anything at all to the indexer that I can find. I just want to have the logs parsed by the hostname (ciscoswitcha, etc.) of the device and the details that its gathered. Help? Here's how the lines in the syslog text files look:

Jan 9 00:00:51 HOSTNAME 1838: Dec 9 00:00:50.511 est: %RADIUS-3-NOACCOUNTINGRESPONSE: Accounting message Start for session 00000836 failed to receive Accounting Response.

How can I parse for the name of the device and its message into the IOS app?

0 Karma
Reply

mikaelbje
Motivator
‎12-10-2014 10:25 PM

Hi,

Hostname transform:
1. If you have one log file/folder per host you can use host_segment=N. Examples: http://docs.splunk.com/Documentation/Splunk/6.2.0/admin/inputsconf
2. If you have all your hosts in one file you could install a Splunk Heavy Forwarder and use a host transform to pull the hostname out of the log. You could also do this on the indexer if you don't want a Heavy Forwarder on your syslog server. Examples: http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/overridedefaulthostassignments

Regarding hosts not showing up in the app:
The sourcetype needs to be set to cisco:ios or syslog. NOT cisco_ios

Please rate or accept the answer if you find it helpful 🙂

Regards,
Mikael

Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...