Good afternoon,
I am working on trying to divide my network devices up so that I have different sourcetypes for each vendor, and then ultimately ship them off to different indexes as well. These devices all things like routers and switches, so I need to use their builtin syslog services. Unfortunately, I'm not understanding the documentation properly and it is not working.
I'm focusing on Nokia gear for the time being, here is a sanitized example log entry from a Nokia device:
Jan 5 13:27:51 123.123.123.123 TMNX: 803766 Base BGP-WARNING-bgpBackwardTransition-2002 [Peer 1: 123.123.123.123]: VR 1: Group mpBGP-IPv4: Peer 123.123.123.123: moved from higher state OPENSENT to lower state IDLE due to event TCP SOCKET ERROR
Here's the stanza from my transforms.conf:
[nokia]
REGEX = TMNX
FORMAT = sourcetype::nokia
DEST_KEY = MetaData:Sourcetype
And here's from props.conf:
[source::udp:514]
TRANSFORMS-nokia = nokia
I am getting data in, but it's all just showing up under the sourcetype of syslog. Thanks in advance for your help.
↧
