Splunk for syslog

Hi, anybody here using splunk free in their labs?I've created a cisco index and configured one of the devices to send to the pc running splunk, and I do see it receving data...but it's showing it as maybe raw data?How do I get it to translate it using the default mib info so I can read it?Example -

7/7/129:53:59.000 AM

0G\x2\x10>\x2\x10G\x2\x10>\x2\x10\x81\x91\x2\x10\x81\x88\x2\x10\x81\x92\x2\x10\x81\x89\x2\x10\x81\xD6\x2\x10\x81\xCD\x2\x10\x81\xD7\x2\x10\x81\xCE\x2\x10\x81\xD4\x2\x10\x81\xCB\x2\x10\x81\xD5\x2\x10\x81\xCC\x2\x10G\x2\x10>\x2\x10\x81\x87\x2\x10~\x2\x10\x81\x88\x2\x10\x2\x10\x81\xD2\x2\x10\x81\xC9\x2\x10\x81\x85\x2\x10|\x2\x1Collapse back to 10 lines

host=192.168.1.10 Options|
sourcetype=cisco Options|
source=udp:162 Options

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

cpartin

Check for a cisco app for splunk. I haven't looked for cisco specifically but I can't imagine they don't have one.

JeanM

It sure can, I've seen it do that. Not sure if an "app" is needed to do that or if it can do snmp traps natively? Like for example Kiwi syslog, it shows the log/trap data in english w/o any addition app?

Still new to it

Thanks for suggestion, I'll see what I find.

bob_deep

Jean, are you sending SNMP traps or syslog messages?

If you are sending syslog, Splunk should read that without any other configurations:
Syslog - UDP

If you are sending SNMP trap, you need to convert the trap to text:
Send SNMP events to Splunk

You can also poll the device via SNMP:
snmpget with splunk - Splunk Community

cpartin

I'm still pretty new to it myself but as I understand Splunk by itself is just the indexing / search engine. It doesn't really care what kind of data you send it, it just throws it into a database and allows you to run queries. The apps help to translate the incoming data into a more legible format, add dashboards and graphs etc. There were a few Cisco apps but I didn't see anything for just basic SNMP monitoring.

JeanM

cpartin wrote: »

I'm still pretty new to it myself but as I understand Splunk by itself is just the indexing / search engine. It doesn't really care what kind of data you send it, it just throws it into a database and allows you to run queries. The apps help to translate the incoming data into a more legible format, add dashboards and graphs etc. There were a few Cisco apps but I didn't see anything for just basic SNMP monitoring.

Yeah I didn't find anything either. We do use it at work, so I'll ask one of the network guys on what it took to configure it for traps.

Untl then I'll use Kiwi syslogd

I think this may be it - http://docs.splunk.com/Documentation/Splunk/latest/Data/SendSNMPeventstoSplunk

Thoughts?

bob_deep

JeanM wrote: »

Yeah I didn't find anything either. We do use it at work, so I'll ask one of the network guys on what it took to configure it for traps.

Untl then I'll use Kiwi syslogd

I think this may be it - Send SNMP events to Splunk

Thoughts?

Yup, see my other links for polling and regular syslog messages:

Syslog - UDP

snmpget with splunk - Splunk Community

JeanM

bob_deep wrote: »

Jean, are you sending SNMP traps or syslog messages?

If you are sending syslog, Splunk should read that without any other configurations:
Syslog - UDP

If you are sending SNMP trap, you need to convert the trap to text:
Send SNMP events to Splunk

You can also poll the device via SNMP:
snmpget with splunk - Splunk Community

Hi, sorry I didn't see post earlier. I am trying both, but SNMP traps is the way to go yeah?

I was confusing syslog and snmp... both Kiwi syslogd and Splunk are reading and displaying syslog on port 514 just fine and it's readable

I don't have SNMP traps working yet, need to figure out what MIBs to download and install for basic monitoring and such.

I created another index for just syslog stuff -

7/7/12
5:12:51.000 PM

Jul 7 17:12:51 192.168.1.77 26: 00:14:33: %SYS-5-RELOAD: Reload requested by vty0 (192.168.1.10). Reload Reason: Reload Command.
host=192.168.1.77 Options|

sourcetype=cisco Options|
source=udp:514 Options

7/7/12
5:12:30.000 PM

Jul 7 17:12:30 192.168.1.77 25: 00:14:10: %SYS-5-CONFIG_I: Configured from console by vty0 (192.168.1.10)
host=192.168.1.77 Options|

sourcetype=cisco Options|
source=udp:514 Options

7/7/12
5:10:05.000 PM

Jul 7 17:10:05 192.168.1.77 24: *Mar 2 07:15:50.539: %SYS-5-CONFIG_I: Configured from console by vty0 (192.168.1.10)
host=192.168.1.77 Options|

sourcetype=cisco Options|
source=udp:514 Options

reducthebeat

Hi there Jean M,

Not sure if I have the right command here but it would make sense to set up and snmp trap on your cisco router. the command is snmp trap link-status.
Hopefully, that helps.

JeanM

I have done that

Here is what I've learned. Splunk can read syslog stuff just fine, but when you send it snmp traps it doesn't exactly "translate" them. Reading the splunk doc they say you want to send the snmp stuff to a trap receiver (I am playing with net-snmp) and have it write it to a text file. You then have splunk read from the text/log file to put that into it's index.

I guess the reason behind this is splunk doesn't know / or can't use MIB files so it's can't translate the traps...but a trap receiver can, and thats where you would need to load MIB files before splunk even looks at the data.