Ok I read the documentation about using host_segment but it does not seem to be working properly
Here is my stanza:
[monitor:///var/log/gns-dmz/network/]
host_segment = 5
sourcetype = cisco:iso
source = syslog
index = network
Under the /var/log/gns-dmz/network there are like 10 directories which are the host names of the cisco switches/routers which are sending their syslogs to this syslog-ng server. The stanza shows the host name as the name of the syslog-ng server and not the host_segment. What I am doing wrong?
thanks
ed
The reason why this is not working for you is that host_segment uses the source metadata to extract the segment from. Since you are overriding the source by defining source = syslog, the default host will be used.
Try removing the source definition and you should be good to go.
The reason why this is not working for you is that host_segment uses the source metadata to extract the segment from. Since you are overriding the source by defining source = syslog, the default host will be used.
Try removing the source definition and you should be good to go.
Yeah I found that out yesterday. I removed the source line and everything started working as it should.
thanks
ed
The host_segment looks correct, but the sourcetype in your monitor stanza says cisco:iso, not cisco:ios. You might want to correct that.
Actually have have two separate host_segment stanzas that are not working on this particular host
[monitor:///var/log/gns-dmz/bluecat/]
host_segment = 5
index = bluecat
sourcetype = dns_syslog
source = syslog
So not sure what I am doing wrong
I fixed the sourcetype, which did nothing for my issue about the host_segment not working.
[monitor:///var/log/gns-dmz/network/]
host_segment = 5
sourcetype = cisco:ios
source = syslog
index = network
I have 14 different sub-directories under /var/log/gns-dmz/network (all separate devices) and it still only shows up as ebs-syslog01 (name of syslog-ng server). Not sure why it isn't working.
You should post comments on my answer, not answers to your question. This is not a forum, but a way to ask a question and get answers 🙂
List the diretory contents of /var/log/gns-dmz/network and post them here.
[root@ebs-syslog01 network]# ls -lart
total 64
drwxr-xr-x 2 root root 4096 Dec 3 11:24 mamwangw0
drwxr-xr-x 2 root root 4096 Dec 3 11:33 amywangw0
drwxr-xr-x 2 root root 4096 Dec 3 11:33 wvwangw0a-loopback0
drwxr-xr-x 2 root root 4096 Dec 3 11:34 139.181.40.21
drwxr-xr-x 2 root root 4096 Dec 3 11:34 ieswangw0b
drwxr-xr-x 2 root root 4096 Dec 3 11:34 194.196.65.17
drwxr-xr-x 2 root root 4096 Dec 3 11:34 rumwangw0
drwxr-xr-x 2 root root 4096 Dec 3 11:34 tokwangw0
drwxr-xr-x 2 root root 4096 Dec 3 11:34 ieswangw0a
drwxr-xr-x 2 root root 4096 Dec 3 11:34 hsvwangw0-uloop
drwxr-xr-x 2 root root 4096 Dec 3 11:35 wvwangw0b-loopback0
drwxr-xr-x 2 root root 4096 Dec 3 11:35 wana-53-230-12-196
drwxr-xr-x 2 root root 4096 Dec 3 11:35 hsiwangw0
drwxr-xr-x 2 root root 4096 Dec 3 11:35 tw212-static81
drwxr-xr-x 4 root root 4096 Dec 19 14:28 ..
drwxr-xr-x 16 root root 4096 Dec 19 14:29 .
[root@ebs-syslog01 network]#
Yes I have Splunk_TA_Nix installed on this server as well.
I am assuming since Splunk_TA_Nix is installed and monitoring the following
[monitor:///var/log]
whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out)
blacklist=(lastlog|anaconda\.syslog)
disabled = 1
That I am not getting the host_segment to work as you have stated. I will have to change the directory to one that is not being monitored or disable the Splunk_TA_Nix one, correct?
Hmm, I see it's disabled so it shouldn't really matter. Try monitoring another directory outside of /var/log
The host_segment you have looks OK though. Tried a different Splunk version in case it's a bug?
I tried to use /var/testing/devices and then copied the 14 or so directories over and it seems to be working properly now. Not sure why it isn't working in /var/log/gns-dmz
-thanks
ed
Great to hear that you got it working. It would be good if you could mark my answer as accepted 🙂