Syslog processing from cisco switches to Splunk

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Syslog processing from cisco switches to Splunk

DAVID SMITH
Hi
We are trying to do something which on the face of it seems fairly simple but will not work.We have a cisco switch which is producing syslogs, normally we use zoneranger to send them to Splunk and the records are shown.However we want to do a bit of content routing, so we are using NiFi 0.7.3 with a ListenUDP on port 514 and we can see the records coming in to NiFi. Without doing anything to the records we use a putUDP to send records to the Splunk server, NiFi says they have sent successfully but they never show in Splunk.We have used a listenUDP on another NiFi and the records transfer and look exactly the same as they were sent.We have also used listenSyslog and putSyslog, but the listenSyslog says the records are invalid.
Has anyone ever to do this, and can you give us any guidance on what we may be missing?
Many thanksDave
Reply | Threaded
Open this post in threaded view
|

Re: Syslog processing from cisco switches to Splunk

Andrew Psaltis
Dave,
To clarify you are using the PutUDP processor, not the PutSplunk processor?

On Thu, Oct 19, 2017 at 7:31 AM, DAVID SMITH <[hidden email]>
wrote:

> Hi
> We are trying to do something which on the face of it seems fairly simple
> but will not work.We have a cisco switch which is producing syslogs,
> normally we use zoneranger to send them to Splunk and the records are
> shown.However we want to do a bit of content routing, so we are using NiFi
> 0.7.3 with a ListenUDP on port 514 and we can see the records coming in to
> NiFi. Without doing anything to the records we use a putUDP to send records
> to the Splunk server, NiFi says they have sent successfully but they never
> show in Splunk.We have used a listenUDP on another NiFi and the records
> transfer and look exactly the same as they were sent.We have also used
> listenSyslog and putSyslog, but the listenSyslog says the records are
> invalid.
> Has anyone ever to do this, and can you give us any guidance on what we
> may be missing?
> Many thanksDave




--
Thanks,
Andrew
Reply | Threaded
Open this post in threaded view
|

Re: Syslog processing from cisco switches to Splunk

Bryan Bende
If you can provide an example message we can try to see why
ListenSyslog says it is invalid.

I'm not sure that will solve the issue, but would give you something
else to try.

On Thu, Oct 19, 2017 at 8:38 AM, Andrew Psaltis
<[hidden email]> wrote:

> Dave,
> To clarify you are using the PutUDP processor, not the PutSplunk processor?
>
> On Thu, Oct 19, 2017 at 7:31 AM, DAVID SMITH <[hidden email]>
> wrote:
>
>> Hi
>> We are trying to do something which on the face of it seems fairly simple
>> but will not work.We have a cisco switch which is producing syslogs,
>> normally we use zoneranger to send them to Splunk and the records are
>> shown.However we want to do a bit of content routing, so we are using NiFi
>> 0.7.3 with a ListenUDP on port 514 and we can see the records coming in to
>> NiFi. Without doing anything to the records we use a putUDP to send records
>> to the Splunk server, NiFi says they have sent successfully but they never
>> show in Splunk.We have used a listenUDP on another NiFi and the records
>> transfer and look exactly the same as they were sent.We have also used
>> listenSyslog and putSyslog, but the listenSyslog says the records are
>> invalid.
>> Has anyone ever to do this, and can you give us any guidance on what we
>> may be missing?
>> Many thanksDave
>
>
>
>
> --
> Thanks,
> Andrew
Reply | Threaded
Open this post in threaded view
|

Re: Syslog processing from cisco switches to Splunk

DAVID SMITH
Hi
An example message is:
<190>2155664: Oct 18 11:54:58: %SEC-6-IPACCESSLOGP: list inbound-to-zzz denied tcp 192.168.0.1(12345) -> 192.168.10.1(443), 1 packet
Many thanksDave

    On Thursday, 19 October 2017, 14:37, Bryan Bende <[hidden email]> wrote:
 

 If you can provide an example message we can try to see why
ListenSyslog says it is invalid.

I'm not sure that will solve the issue, but would give you something
else to try.

On Thu, Oct 19, 2017 at 8:38 AM, Andrew Psaltis
<[hidden email]> wrote:

> Dave,
> To clarify you are using the PutUDP processor, not the PutSplunk processor?
>
> On Thu, Oct 19, 2017 at 7:31 AM, DAVID SMITH <[hidden email]>
> wrote:
>
>> Hi
>> We are trying to do something which on the face of it seems fairly simple
>> but will not work.We have a cisco switch which is producing syslogs,
>> normally we use zoneranger to send them to Splunk and the records are
>> shown.However we want to do a bit of content routing, so we are using NiFi
>> 0.7.3 with a ListenUDP on port 514 and we can see the records coming in to
>> NiFi. Without doing anything to the records we use a putUDP to send records
>> to the Splunk server, NiFi says they have sent successfully but they never
>> show in Splunk.We have used a listenUDP on another NiFi and the records
>> transfer and look exactly the same as they were sent.We have also used
>> listenSyslog and putSyslog, but the listenSyslog says the records are
>> invalid.
>> Has anyone ever to do this, and can you give us any guidance on what we
>> may be missing?
>> Many thanksDave
>
>
>
>
> --
> Thanks,
> Andrew