Closed PashFW closed 3 months ago
PashFW
commented
10 months ago man page declaring the IOS XR support https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/Cisco/cisco_ios/
advertised Splunk Add-on https://splunkbase.splunk.com/app/1467 does NOT have any XR specific props/transforms and no longer supported
mstopa-splunk
commented
10 months ago @PashFW thank you for reporting this and for all the research, it's super helpful. I will try to update the parser by the end of the next week
mstopa-splunk
commented
9 months ago @PashFW Cisco IOS XR logs are not RFC compliant so we need to rely on parts of messages a lot. Please see changes in https://github.com/splunk/splunk-connect-for-syslog/pull/2270 and test if image ghcr.io/splunk/splunk-connect-for-syslog/container3:pr-2270@sha256:b07de8f2338b7dab926f3ff9e4e580a54affe63cde68b5a425c60cea7a799fd9 covers all your use cases
mstopa-splunk
commented
8 months ago 
Mosstrow
commented
5 months ago Hello @mstopa-splunk ,
The fix was based on incomplete payload which result in an incorrect hostname extraction.
Here is a payload captured with tcpdump:
<190>290692: HOSTNAME RP/0/RSP0/CPU0:Mar 19 15:47:02.754 : SSHD_[65935]: %SECURITY-SSHD-6-INFO_USER_LOGOUT : User 'HELLO' from '8.8.8.8' logged out on 'vty0' With the current parsing and this log sample, the hostname in splunk is "SSHD" instead of "HOSTNAME" Can you fix this please ? Thanksmstopa-splunk
commented
5 months ago hi @Mosstrow reopened this issue
mstopa-splunk
commented
5 months ago @Mosstrow this works on my end:
echo "<190>290692: HOSTNAME RP/0/RSP0/CPU0:Mar 26 14:47:02.754 : SSHD_[65935]: %SECURITY-SSHD-6-INFO_USER_LOGOUT : User 'HELLO' from '8.8.8.8' logged out on 'vty0'" > /dev/udp/0.0.0.0/514I'm on SC4S 3.22.0. Please double check and let me know
mstopa-splunk
commented
5 months ago If you still have this problem, please send sc4s_tags
Mosstrow
commented
4 months ago Hi @mstopa-splunk
Sorry for the late reply.
The problem persists, but it's related to the fact that our switch's host name contains an underscore.
echo "<190>290692: HOST_NAME RP/0/RSP0/CPU0:Mar 26 14:47:02.754 : SSHD_[65935]: %SECURITY-SSHD-6-INFO_USER_LOGOUT : User 'HELLO' from '8.8.8.8' logged out on 'vty0'" > /dev/udp/0.0.0.0/514
Can you correct this ?
Thanks
mstopa-splunk
commented
4 months ago @Mosstrow can you try with the imageghcr.io/splunk/splunk-connect-for-syslog/container3:pr-2399 ?
Mosstrow
commented
4 months ago @mstopa-splunk I've tested it in the LAB and it works very well Good job!
mstopa-splunk
commented
3 months ago released in v3.25.0
What is the sc4s version ? 3.5
Is there a pcap available? No, but sample is attached sample.txt
What the vendor name? Cisco
What's the product name? Cisco 8000 Series Routers, IOS XR Release 7+
Feature Request description: Cisco IOS XR declared supported, but it seems doesn't fit the new(?) XR format and matches general nix:syslog when expected to be a flavor of cisco:ios like cisco:ios:xr or cisco:iosxr Format described here https://www.cisco.com/c/en/us/td/docs/iosxr/cisco8000/system-monitoring/73x/b-system-monitoring-cg-cisco8k-73x/implementing_system_logging.html Short diff vs cisco:ios - the %message preceded by node-id, timestamp, process-name delimited by :
Should it support TCP or UDP? not applicable
Do you want to have it for local usage or prepare a github PR? recommended local quick fix is appreciated, but PR sounds right