splunk-connect-for-syslog
splunk-connect-for-syslog copied to clipboard
splunk
Brocade switch logs being identified as EMC Powerswitch N Series sourcetype
The Brocade switch syslog messages are being identified as dell:emc:powerswitch:n. I'm using SC4S version 2.28.4.
Sample event from Raw log <190>1 2022-06-02T21:34:30.000+00:00 server01 @syslog-ng - - - {"fields":{"sc4s_vendor":"dellemc","sc4s_syslog_severity":"info","sc4s_syslog_facility":"local7","sc4s_product":"powerswitch","sc4s_class":"n"},"MESSAGE":"9 DOT1X: Port 2/1/23 - mac 0xx6.fexx.60xx, AuthControlledPortStatus change: authorized ","HOST_FROM":"10.0.0.1","HOST":"workstation1",".splunk":{"sourcetype":"dell:emc:powerswitch:n","source":"","sc4s_template":"t_hdr_msg","index":"netops"},".app":{"name":"app-lp-global_archive"},"._TAGS":"wireformat:rfc,wireformat:rfc3164,source_identified,.app.app-syslog-dell_switch_n,.app.app-lp-global_archive,.source.s_DEFAULT"} <190>1 2022-06-02T21:34:34.000+00:00 server01 @syslog-ng - - - {"fields":{"sc4s_vendor":"dellemc","sc4s_syslog_severity":"info","sc4s_syslog_facility":"local7","sc4s_product":"powerswitch","sc4s_class":"n"},"MESSAGE":"9 DOT1X: Port 5/1/12 - mac 0xax.6ex3.dxx0, AuthControlledPortStatus change: authorized ","HOST_FROM":"10.0.0.1","HOST":"workstation1",".splunk":{"sourcetype":"dell:emc:powerswitch:n","source":"","sc4s_template":"t_hdr_msg","index":"netops"},".app":{"name":"app-lp-global_archive"},"._TAGS":"wireformat:rfc,wireformat:rfc3164,source_identified,.app.app-syslog-dell_switch_n,.app.app-lp-global_archive,.source.s_DEFAULT"} <190>1 2022-06-02T21:34:36.000+00:00 server01 @syslog-ng - - - {"fields":{"sc4s_vendor":"dellemc","sc4s_syslog_severity":"info","sc4s_syslog_facility":"local7","sc4s_product":"powerswitch","sc4s_class":"n"},"MESSAGE":"9 DOT1X: Port 2/1/3 - mac 0xx6.fxx4.0xxe, AuthControlledPortStatus change: authorized ","HOST_FROM":"10.0.0.1","HOST":"workstation1",".splunk":{"sourcetype":"dell:emc:powerswitch:n","source":"","sc4s_template":"t_hdr_msg","index":"netops"},".app":{"name":"app-lp-global_archive"},"._TAGS":"wireformat:rfc,wireformat:rfc3164,source_identified,.app.app-syslog-dell_switch_n,.app.app-lp-global_archive,.source.s_DEFAULT"}
Event in Splunk:
16 STP: VLAN 600 Port 2/1/4 STP State -> LEARNING (DOT1wTransition) 16 STP: VLAN 600 Port 2/1/4 STP State -> BLOCKING (DOT1wTransition) 1 DHCPS: Sending NAK since requested IP 10.0.0.173 is not in received port's subnet 16 STP: VLAN 600 Port 2/1/4 STP State -> LEARNING (DOT1wTransition) 16 STP: VLAN 600 Port 2/1/4 STP State -> FORWARDING (DOT1wTransition) 16 STP: VLAN 600 Port 2/1/4 STP State -> FORWARDING (DOT1wTransition) 16 System: Interface ethernet 2/1/3, state up 35 STP: VLAN 600 Port 1/1/2 STP State -> DISABLED (PortDown) 9 DOT1X: Port 2/1/37 - mac 00d6.xx04.0axx, AuthControlledPortStatus change: authorized 35 STP: VLAN 205 Port 1/2/10 STP State -> FORWARDING (PortDown)
Log syslog messages references: https://docs.commscope.com/bundle/fastiron-08030-adminguide/page/GUID-D7F2690F-2937-4AD4-9C6A-415F72100C87.html
The logs you shared has no workable header, Kindly capture pcap, analyse it and sanitise and share, btw did you create the parser mentioned in docs https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/Brocade/switch/ , you need to use host as per the hostname of the switch.
Hi,
Here's a sample PCAP
12:54:50.186765 IP (tos 0x0, ttl 58, id 938, offset 0, flags [DF], proto UDP (17), length 131) 10.xx.141.xx.1026 > 10.xx.xx.27.514: [udp sum ok] SYSLOG, length: 103 Facility user (1), Severity info (6) Msg: Jun 9 16:54:50 hostname1 STP: VLAN 205 Port 1/1/8 STP State -> DISABLED (PortDown) 0x0000: 3c31 343e 204a 756e 2020 3920 3136 3a35 0x0010: 343a 3530 2041 4d2d 524b 414c 2d52 5543 0x0020: 452d 4246 3033 2d52 322d 3335 2053 5450 0x0030: 3a20 564c 414e 2032 3035 2050 6f72 7420 0x0040: 312f 312f 3820 5354 5020 5374 6174 6520 0x0050: 2d3e 2044 4953 4142 4c45 4420 2850 6f72 0x0060: 7444 6f77 6e29 20
@wdoctor, We did not hear anything from you. We are closing this issue.
Please reach out in case of any further queries.
Thank you