Re: Syslog processing from cisco switches to Splunk

2017-10-19 Thread DAVID SMITH 
Hi
An example message is:
<190>2155664: Oct 18 11:54:58: %SEC-6-IPACCESSLOGP: list inbound-to-zzz denied 
tcp 192.168.0.1(12345) -> 192.168.10.1(443), 1 packet
Many thanksDave 

On Thursday, 19 October 2017, 14:37, Bryan Bende  wrote:
 

 If you can provide an example message we can try to see why
ListenSyslog says it is invalid.

I'm not sure that will solve the issue, but would give you something
else to try.

On Thu, Oct 19, 2017 at 8:38 AM, Andrew Psaltis
 wrote:
> Dave,
> To clarify you are using the PutUDP processor, not the PutSplunk processor?
>
> On Thu, Oct 19, 2017 at 7:31 AM, DAVID SMITH 
> wrote:
>
>> Hi
>> We are trying to do something which on the face of it seems fairly simple
>> but will not work.We have a cisco switch which is producing syslogs,
>> normally we use zoneranger to send them to Splunk and the records are
>> shown.However we want to do a bit of content routing, so we are using NiFi
>> 0.7.3 with a ListenUDP on port 514 and we can see the records coming in to
>> NiFi. Without doing anything to the records we use a putUDP to send records
>> to the Splunk server, NiFi says they have sent successfully but they never
>> show in Splunk.We have used a listenUDP on another NiFi and the records
>> transfer and look exactly the same as they were sent.We have also used
>> listenSyslog and putSyslog, but the listenSyslog says the records are
>> invalid.
>> Has anyone ever to do this, and can you give us any guidance on what we
>> may be missing?
>> Many thanksDave
>
>
>
>
> --
> Thanks,
> Andrew

Re: Syslog processing from cisco switches to Splunk

2017-10-19 Thread Bryan Bende 
If you can provide an example message we can try to see why
ListenSyslog says it is invalid.

I'm not sure that will solve the issue, but would give you something
else to try.

On Thu, Oct 19, 2017 at 8:38 AM, Andrew Psaltis
 wrote:
> Dave,
> To clarify you are using the PutUDP processor, not the PutSplunk processor?
>
> On Thu, Oct 19, 2017 at 7:31 AM, DAVID SMITH 
> wrote:
>
>> Hi
>> We are trying to do something which on the face of it seems fairly simple
>> but will not work.We have a cisco switch which is producing syslogs,
>> normally we use zoneranger to send them to Splunk and the records are
>> shown.However we want to do a bit of content routing, so we are using NiFi
>> 0.7.3 with a ListenUDP on port 514 and we can see the records coming in to
>> NiFi. Without doing anything to the records we use a putUDP to send records
>> to the Splunk server, NiFi says they have sent successfully but they never
>> show in Splunk.We have used a listenUDP on another NiFi and the records
>> transfer and look exactly the same as they were sent.We have also used
>> listenSyslog and putSyslog, but the listenSyslog says the records are
>> invalid.
>> Has anyone ever to do this, and can you give us any guidance on what we
>> may be missing?
>> Many thanksDave
>
>
>
>
> --
> Thanks,
> Andrew

Re: Syslog processing from cisco switches to Splunk

2017-10-19 Thread Andrew Psaltis 
Dave,
To clarify you are using the PutUDP processor, not the PutSplunk processor?

On Thu, Oct 19, 2017 at 7:31 AM, DAVID SMITH 
wrote:

> Hi
> We are trying to do something which on the face of it seems fairly simple
> but will not work.We have a cisco switch which is producing syslogs,
> normally we use zoneranger to send them to Splunk and the records are
> shown.However we want to do a bit of content routing, so we are using NiFi
> 0.7.3 with a ListenUDP on port 514 and we can see the records coming in to
> NiFi. Without doing anything to the records we use a putUDP to send records
> to the Splunk server, NiFi says they have sent successfully but they never
> show in Splunk.We have used a listenUDP on another NiFi and the records
> transfer and look exactly the same as they were sent.We have also used
> listenSyslog and putSyslog, but the listenSyslog says the records are
> invalid.
> Has anyone ever to do this, and can you give us any guidance on what we
> may be missing?
> Many thanksDave




-- 
Thanks,
Andrew

Syslog processing from cisco switches to Splunk

2017-10-19 Thread DAVID SMITH 
Hi
We are trying to do something which on the face of it seems fairly simple but 
will not work.We have a cisco switch which is producing syslogs, normally we 
use zoneranger to send them to Splunk and the records are shown.However we want 
to do a bit of content routing, so we are using NiFi 0.7.3 with a ListenUDP on 
port 514 and we can see the records coming in to NiFi. Without doing anything 
to the records we use a putUDP to send records to the Splunk server, NiFi says 
they have sent successfully but they never show in Splunk.We have used a 
listenUDP on another NiFi and the records transfer and look exactly the same as 
they were sent.We have also used listenSyslog and putSyslog, but the 
listenSyslog says the records are invalid.
Has anyone ever to do this, and can you give us any guidance on what we may be 
missing?
Many thanksDave