MT remote logging with SPLUNK

sioux · August 11, 2007, 7:56am

Hi
I have succesfuly setup a server (ubuntu 6.10se) with slunk (http://www.splunk.com)
Everything works great besides one thing. Event timesteps are wronk. In splunk logs I can see events with tommorows date for example.
I’m remotely logging wireless,info events (connected, disconnected, disconnected, extensive data loss and so on). there are olso strange hours at with data/events are arrived. I atached a picter below.

At first I was thinking that this event are from time after device is restarted and ntp client isn’t synchronized time with local time server. So a write a script which block outgoing 514/udp trafiice after the restart until system clock i synchronized.

ip firewall filter add chain=output protocol=udp dst-port=514 action=drop comment="block syslog";
:while ([system ntp client get status]!=synchronized) do={:delay 1};
ip firewall filter remove [find chain=output comment="block syslog"];

then I clean splunk database. AND i still reciving enevts with bad date and time
I don’t know if it is SPLUNK or MT problem

picture comment: on the top of atached picter there is: Last refreshed, and below are events with tommorows date
looking at logs on MT shows good date and time on remote MT device

does anyone can check this? splunk setup is very easy on debian like systems http://blog.2blocksaway.com/2007/04/03/snare-and-splunkfull-logging-for-everyone-logs-manage-them-well-on-ubuntu/

sioux · August 13, 2007, 7:03am

digging internet depper i found that it is rather SPLUNK “problem”
SPLUNK at default isn’t recognizing MT syslog timesteps well
if I find a solution I’ll post it here

sioux · August 14, 2007, 10:21am

the problem was that routerOS doesn’t send timestep of event in clear text format like 2007 Aug 13 or something like this.

root@ubuntu-http:~# tcpdump udp and dst port 514 -xX -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
12:11:36.342674 IP 192.168.100.50.1026 > 192.168.100.202.514: [|syslog]
        0x0000:  4500 006e 0000 4000 4011 f031 c0a8 6432  E..n..@.@..1..d2
        0x0010:  c0a8 64ca 0402 0202 005a 8091 7769 7265  ..d......Z..wire
        0x0020:  6c65 7373 2c69 6e66 6f20 3030 3a33 303a  less,info.00:30:
        0x0030:  3446 3a33 303a 4435 3a33 3240 7365 6b74  4F:30:D5:32@sekt
        0x0040:  6f72 5f76 3a20 6469 7363 6f6e 6e65 6374  or_v:.disconnect
        0x0050:  6564                                     ed
12:11:38.857226 IP 192.168.100.50.1026 > 192.168.100.202.514: [|syslog]
        0x0000:  4500 004f 0000 4000 4011 f050 c0a8 6432  E..O..@.@..P..d2
        0x0010:  c0a8 64ca 0402 0202 003b fa0a 7769 7265  ..d......;..wire
        0x0020:  6c65 7373 2c69 6e66 6f20 3030 3a33 303a  less,info.00:30:
        0x0030:  3446 3a33 303a 4435 3a33 3240 7365 6b74  4F:30:D5:32@sekt
        0x0040:  6f72 5f76 3a20 636f 6e6e 6563 7465 64    or_v:.connected

maybe timestep is coded? i don’t know it yeat. but form now there is a workaround. you must configure splunk to add time/date present on server when remote syslog event arrived.
all you need to do is to setup a network port to 514/udp and set “Set source type” to manual and in “Source Type” type eg. “mikrotik”
then you need to edit $SPLUNK_HOME/etc/bundle/local/props.conf and add this:

[mikrotik]
DATETIME_CONFIG = CURRENT