Splunk for syslog
JeanM
Member Posts: 1,117
in CCNA & CCENT
Hi, anybody here using splunk free in their labs?I've created a cisco index and configured one of the devices to send to the pc running splunk, and I do see it receving data...but it's showing it as maybe raw data?How do I get it to translate it using the default mib info so I can read it?Example -
7/7/129:53:59.000 AM
0G\x2\x10>\x2\x10G\x2\x10>\x2\x10\x81\x91\x2\x10\x81\x88\x2\x10\x81\x92\x2\x10\x81\x89\x2\x10\x81\xD6\x2\x10\x81\xCD\x2\x10\x81\xD7\x2\x10\x81\xCE\x2\x10\x81\xD4\x2\x10\x81\xCB\x2\x10\x81\xD5\x2\x10\x81\xCC\x2\x10G\x2\x10>\x2\x10\x81\x87\x2\x10~\x2\x10\x81\x88\x2\x10\x2\x10\x81\xD2\x2\x10\x81\xC9\x2\x10\x81\x85\x2\x10|\x2\x1Collapse back to 10 lines
7/7/129:53:59.000 AM
0G\x2\x10>\x2\x10G\x2\x10>\x2\x10\x81\x91\x2\x10\x81\x88\x2\x10\x81\x92\x2\x10\x81\x89\x2\x10\x81\xD6\x2\x10\x81\xCD\x2\x10\x81\xD7\x2\x10\x81\xCE\x2\x10\x81\xD4\x2\x10\x81\xCB\x2\x10\x81\xD5\x2\x10\x81\xCC\x2\x10G\x2\x10>\x2\x10\x81\x87\x2\x10~\x2\x10\x81\x88\x2\x10\x2\x10\x81\xD2\x2\x10\x81\xC9\x2\x10\x81\x85\x2\x10|\x2\x1Collapse back to 10 lines
2015 goals - ccna voice / vmware vcp.
Comments
-
cpartin
Member Posts: 84 ■■□□□□□□□□
Check for a cisco app for splunk. I haven't looked for cisco specifically but I can't imagine they don't have one. -
JeanM
Member Posts: 1,117
It sure can, I've seen it do that. Not sure if an "app" is needed to do that or if it can do snmp traps natively? Like for example Kiwi syslog, it shows the log/trap data in english w/o any addition app?
Still new to it
Thanks for suggestion, I'll see what I find. 2015 goals - ccna voice / vmware vcp. -
bob_deep
Member Posts: 2 ■□□□□□□□□□
Jean, are you sending SNMP traps or syslog messages?
If you are sending syslog, Splunk should read that without any other configurations:
Syslog - UDP
If you are sending SNMP trap, you need to convert the trap to text:
Send SNMP events to Splunk
You can also poll the device via SNMP:
snmpget with splunk - Splunk Community -
cpartin
Member Posts: 84 ■■□□□□□□□□
I'm still pretty new to it myself but as I understand Splunk by itself is just the indexing / search engine. It doesn't really care what kind of data you send it, it just throws it into a database and allows you to run queries. The apps help to translate the incoming data into a more legible format, add dashboards and graphs etc. There were a few Cisco apps but I didn't see anything for just basic SNMP monitoring.
-
JeanM
Member Posts: 1,117
I'm still pretty new to it myself but as I understand Splunk by itself is just the indexing / search engine. It doesn't really care what kind of data you send it, it just throws it into a database and allows you to run queries. The apps help to translate the incoming data into a more legible format, add dashboards and graphs etc. There were a few Cisco apps but I didn't see anything for just basic SNMP monitoring.
Yeah I didn't find anything either. We do use it at work, so I'll ask one of the network guys on what it took to configure it for traps.
Untl then I'll use Kiwi syslogd
I think this may be it - http://docs.splunk.com/Documentation/Splunk/latest/Data/SendSNMPeventstoSplunk
Thoughts?2015 goals - ccna voice / vmware vcp. -
bob_deep
Member Posts: 2 ■□□□□□□□□□
Yeah I didn't find anything either. We do use it at work, so I'll ask one of the network guys on what it took to configure it for traps.
Untl then I'll use Kiwi syslogd
I think this may be it - Send SNMP events to Splunk
Thoughts?
Yup, see my other links for polling and regular syslog messages:
Syslog - UDP
snmpget with splunk - Splunk Community -
JeanM
Member Posts: 1,117
Jean, are you sending SNMP traps or syslog messages?
If you are sending syslog, Splunk should read that without any other configurations:
Syslog - UDP
If you are sending SNMP trap, you need to convert the trap to text:
Send SNMP events to Splunk
You can also poll the device via SNMP:
snmpget with splunk - Splunk Community
Hi, sorry I didn't see post earlier. I am trying both, but SNMP traps is the way to go yeah?
I was confusing syslog and snmp... both Kiwi syslogd and Splunk are reading and displaying syslog on port 514 just fine and it's readable
I don't have SNMP traps working yet, need to figure out what MIBs to download and install for basic monitoring and such.
I created another index for just syslog stuff -- 7/7/12
5:12:51.000 PM
Jul 7 17:12:51 192.168.1.77 26: 00:14:33: %SYS-5-RELOAD: Reload requested by vty0 (192.168.1.10). Reload Reason: Reload Command.- host=192.168.1.77 Options|
- 2
- 7/7/12
5:12:30.000 PM
Jul 7 17:12:30 192.168.1.77 25: 00:14:10: %SYS-5-CONFIG_I: Configured from console by vty0 (192.168.1.10)- host=192.168.1.77 Options|
- 3
- 7/7/12
5:10:05.000 PM
Jul 7 17:10:05 192.168.1.77 24: *Mar 2 07:15:50.539: %SYS-5-CONFIG_I: Configured from console by vty0 (192.168.1.10)- host=192.168.1.77 Options|
2015 goals - ccna voice / vmware vcp. - 7/7/12
-
reducthebeat
Registered Users Posts: 3 ■□□□□□□□□□
Hi there Jean M,
Not sure if I have the right command here but it would make sense to set up and snmp trap on your cisco router. the command is snmp trap link-status.
Hopefully, that helps. -
JeanM
Member Posts: 1,117
I have done that Here is what I've learned. Splunk can read syslog stuff just fine, but when you send it snmp traps it doesn't exactly "translate" them. Reading the splunk doc they say you want to send the snmp stuff to a trap receiver (I am playing with net-snmp) and have it write it to a text file. You then have splunk read from the text/log file to put that into it's index.
I guess the reason behind this is splunk doesn't know / or can't use MIB files so it's can't translate the traps...but a trap receiver can, and thats where you would need to load MIB files before splunk even looks at the data.2015 goals - ccna voice / vmware vcp.
