Hi.

I've tried to get Splunk to understand syslog messages coming from a Cisco Mobility Express setup.

Mobility Express (ME) is the built-in controller solution into, in this setup, 3 AP3802I access points running 8.10.171.0

I have been successful at getting and displaying data from a C2960L-8PS switch running IOS 15. But not from any access point (AP).

I've setup syslogging from the ME directly to a single instance Splunk demo lab running on Ubuntu with rsyslog.

I can see data being logged into /data/syslog/192.168.40.20/

-rw-r--r-- 1 syslog syslog 9690 Sep 4 15:54 20230904-15.log
-rw-r--r-- 1 syslog syslog 41100 Sep 4 16:58 20230904-16.log
-rw-r--r-- 1 syslog syslog 9192 Sep 4 17:53 20230904-17.log

Example of syslog messages are:

2023-08-29T05:48:04.090627+00:00 <133>SampleSite: *emWeb: Aug 29 07:48:03.431: %AAA-5-AAA_AUTH_ADMIN_USER: aaa.c:3334 Authentication succeeded for admin user 'example' on 100.40.168.192
2023-09-04T17:01:52.684140+02:00 <44>SampleSite: *apfMsConnTask_0: Sep 04 17:01
:52.495: %APF-4-PROC_ACTION_FAILED: apf_80211k.c:825 Could not process 802.11 Ac
tion. Received RM 11K Action frame through incorrect AP from mobile station. Mob
ile:1A:4A:FA:F9:BA:C6.
2023-09-04T17:01:52.718781+02:00 <44>SampleSite: *Dot1x_NW_MsgTask_0: Sep 04 17
:01:52.530: %LOG-4-Q_IND: apf_80211k.c:825 Could not process 802.11 Action. Rece
ived RM 11K Action frame through incorrect AP from mobile station. Mobile:1A:4A:
FA:F9:BA:C6.

I've installed TA-cisco_ios from Splunkbase.

In the top of my etc/apps/search/local/inputs.conf I've added:

[monitor:///data/syslog/udp/192.168.40.20]
disabled = false
host = ciscome.example.net
sourcetype = cisco:wlc
#sourcetype = cisco:ap
index = default

For switches cisco:ios works fine, but I cannot get cisco:wlc or cisco:ap to process data it seems.

Has anyone used Cisco Mobility Express with Splunk and gotten anything usefull out of the logs? Am I doing it right?

Thanks for any tips.