splunk-connect-for-syslog icon indicating copy to clipboard operation
splunk-connect-for-syslog copied to clipboard

Published 20 hours ago verified publisher icon splunk

Cisco IOS XR (8000 series) syslog as nix:syslog

Open PashFW opened this issue 1 year ago • 11 comments

What is the sc4s version ? 3.5

Is there a pcap available? No, but sample is attached sample.txt

What the vendor name? Cisco

What's the product name? Cisco 8000 Series Routers, IOS XR Release 7+

** Feature Request description: ** Cisco IOS XR declared supported, but it seems doesn't fit the new(?) XR format and matches general nix:syslog when expected to be a flavor of cisco:ios like cisco:ios:xr or cisco:iosxr Format described here https://www.cisco.com/c/en/us/td/docs/iosxr/cisco8000/system-monitoring/73x/b-system-monitoring-cg-cisco8k-73x/implementing_system_logging.html Short diff vs cisco:ios - the %message preceded by node-id, timestamp, process-name delimited by :

** Should it support TCP or UDP?** not applicable

** Do you want to have it for local usage or prepare a github PR? ** recommended local quick fix is appreciated, but PR sounds right

PashFW avatar Oct 20 '23 20:10 PashFW

man page declaring the IOS XR support https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/Cisco/cisco_ios/

advertised Splunk Add-on https://splunkbase.splunk.com/app/1467 does NOT have any XR specific props/transforms and no longer supported

PashFW avatar Oct 20 '23 20:10 PashFW

@PashFW thank you for reporting this and for all the research, it's super helpful. I will try to update the parser by the end of the next week

mstopa-splunk avatar Oct 26 '23 08:10 mstopa-splunk

@PashFW Cisco IOS XR logs are not RFC compliant so we need to rely on parts of messages a lot. Please see changes in https://github.com/splunk/splunk-connect-for-syslog/pull/2270 and test if image ghcr.io/splunk/splunk-connect-for-syslog/container3:pr-2270@sha256:b07de8f2338b7dab926f3ff9e4e580a54affe63cde68b5a425c60cea7a799fd9 covers all your use cases

mstopa-splunk avatar Nov 27 '23 10:11 mstopa-splunk

fixed in https://github.com/splunk/splunk-connect-for-syslog/pull/2270

mstopa-splunk avatar Dec 11 '23 09:12 mstopa-splunk

Hello @mstopa-splunk ,

The fix was based on incomplete payload which result in an incorrect hostname extraction.

Here is a payload captured with tcpdump: <190>290692: HOSTNAME RP/0/RSP0/CPU0:Mar 19 15:47:02.754 : SSHD_[65935]: %SECURITY-SSHD-6-INFO_USER_LOGOUT : User 'HELLO' from '8.8.8.8' logged out on 'vty0'

With the current parsing and this log sample, the hostname in splunk is "SSHD" instead of "HOSTNAME"

Can you fix this please ?

Thanks

Mosstrow avatar Mar 19 '24 15:03 Mosstrow

hi @Mosstrow reopened this issue

mstopa-splunk avatar Mar 20 '24 10:03 mstopa-splunk

@Mosstrow this works on my end:

echo "<190>290692: HOSTNAME RP/0/RSP0/CPU0:Mar 26 14:47:02.754 : SSHD_[65935]: %SECURITY-SSHD-6-INFO_USER_LOGOUT : User 'HELLO' from '8.8.8.8' logged out on 'vty0'" > /dev/udp/0.0.0.0/514

image

I'm on SC4S 3.22.0. Please double check and let me know

mstopa-splunk avatar Mar 26 '24 14:03 mstopa-splunk

If you still have this problem, please send sc4s_tags

mstopa-splunk avatar Mar 26 '24 14:03 mstopa-splunk

Hi @mstopa-splunk

Sorry for the late reply.

The problem persists, but it's related to the fact that our switch's host name contains an underscore.

echo "<190>290692: HOST_NAME RP/0/RSP0/CPU0:Mar 26 14:47:02.754 : SSHD_[65935]: %SECURITY-SSHD-6-INFO_USER_LOGOUT : User 'HELLO' from '8.8.8.8' logged out on 'vty0'" > /dev/udp/0.0.0.0/514

Can you correct this ?

Thanks

Mosstrow avatar Apr 12 '24 11:04 Mosstrow

@Mosstrow can you try with the imageghcr.io/splunk/splunk-connect-for-syslog/container3:pr-2399 ?

mstopa-splunk avatar Apr 15 '24 10:04 mstopa-splunk

@mstopa-splunk I've tested it in the LAB and it works very well Good job!

Mosstrow avatar Apr 15 '24 11:04 Mosstrow

released in v3.25.0

mstopa-splunk avatar May 13 '24 17:05 mstopa-splunk