Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

eqalis - getting cisco_syslog sourcetype

Branden
Builder
‎09-02-2011 07:06 PM

I tried out the EQALIS Splunk for Network Operations app. Unfortunately, I don't think I can use it, but maybe someone can help.

The problem is that incoming events from Cisco devices must have a sourcetype of "cisco_syslog". Well, all my syslog events come in to my Splunk server via syslog-ng and are put into a /logs directory which is crawled by monitor. Everything that is crawled in the syslog-ng /logs directory is given a sourcetype of "syslog". That includes servers, switches, etc...

I have to force the sourcetype to be "syslog" in inputs.conf otherwise Splunk will give split the events into sourcetypes I don't want such "auth-too_small", "kern", etc...

Or maybe I'm taking the wrong approach.

I'd like to take advantage of the EQALIS app, but am not sure how to get the cisco_syslog sourcetype assigned to the applicable events when they're crawled by monitor. Does anyone have any suggestions?

Thanks!

0 Karma
Reply

eqalisken
Explorer
‎09-07-2011 12:19 PM

Hi,

A quick fix would be to use a sourcetype alias in props.conf:

[syslog]
rename = cisco_syslog

Restart Splunk for this to take effect. If you subsequently have problems because the “syslog” sourcetype is gone you can just remove the config and restart to convert back to before.

But if you can identify the Cisco routers from their sub-directory or filenames then you can give these specific ones the “cisco_syslog” sourcetype. Or if not you can give the logs the correct sourcetype per event as explained in below link:

http://docs.splunk.com/Documentation/Splunk/4.2.3/Data/Advancedsourcetypeoverrides

Reply

Branden
Builder
‎09-07-2011 05:54 PM

Thank you for the response.
I don't want to do a sourcetype alias as that would make even non-Cisco products show up as soucetype "cisco_syslog", which would be bad.
The doc you referred me to, however, may be what I'm after. I'm going to look into that. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...