I tried out the EQALIS Splunk for Network Operations app. Unfortunately, I don't think I can use it, but maybe someone can help.
The problem is that incoming events from Cisco devices must have a sourcetype of "cisco_syslog". Well, all my syslog events come in to my Splunk server via syslog-ng and are put into a /logs directory which is crawled by monitor. Everything that is crawled in the syslog-ng /logs directory is given a sourcetype of "syslog". That includes servers, switches, etc...
I have to force the sourcetype to be "syslog" in inputs.conf otherwise Splunk will give split the events into sourcetypes I don't want such "auth-too_small", "kern", etc...
Or maybe I'm taking the wrong approach.
I'd like to take advantage of the EQALIS app, but am not sure how to get the cisco_syslog sourcetype assigned to the applicable events when they're crawled by monitor. Does anyone have any suggestions?
asked 02 Sep '11, 19:06
A quick fix would be to use a sourcetype alias in props.conf:
Restart Splunk for this to take effect. If you subsequently have problems because the “syslog” sourcetype is gone you can just remove the config and restart to convert back to before.
But if you can identify the Cisco routers from their sub-directory or filenames then you can give these specific ones the “cisco_syslog” sourcetype. Or if not you can give the logs the correct sourcetype per event as explained in below link:
answered 07 Sep '11, 12:19