You might need to review syslog messages to identify problems with a specific network device when doing the following:
In order to execute this procedure in your environment, the following data, services, or apps are required:
To collect SNMP traps in Splunk, you will need to run an snmptrapd server on a Linux or Windows machine to collect traps and write them to a file. After they are written to disk, you can configure the Universal Forwarder to read those files and forward them to Splunk; this configuration is outlined in our documentation.
If you suspect a particular device is having issues, there will often be evidence of a problem resident in the syslog messages. You want to use Splunk to isolate syslog messages coming from that device and look for messages with elevated severity.
To optimize the search shown below, you should specify an index and a time range.
- If you are switching to Splunk software from another vendor, front SC4S with the same IP address that your previous software used to collect syslog traffic. Doing so helps prevent the need to reconfigure all network devices and firewall rules that would be necessary to allow syslog traffic to flow to a new syslog receiver.
- Run the following search:
index IN (*) sourcetype IN (*) host=<Hostname/IP of Device> (severity_name IN (emergency, alert, critical, error, warning) OR sc4s_syslog_severity IN (emergency, alert, critical, error, warning))
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|index IN (*) sourcetype IN (*)||Search the syslog data in the Splunk Connect for Syslog app.|
|host=<Hostname/IP of Device>||Search the host or IP of the device you want to investigate.|
|(severity_name IN (emergency, alert, critical, error, warning) OR sc4s_syslog_severity IN (emergency, alert, critical, error, warning))||Search for specific warning messages.|
To further restrict your search, limit the search to include only the source types associated with your networking devices. Use the results to determine what needs to be investigated further.