CSPC 2.11.0.5 GUI Events Not Logging to Splunk

MarkDuckson63340 · ‎09-18-2025

We have configured our rsyslog.conf file to forward logs to a splunk forwarder, it's working to some degree; unfortunately, there are no GUI user account evnts showing in the logs. While researching this condition I find there is several possibilities when it comes to GUI events being captured in CPSC and modifying the rsyslog to "pull in" the GUI events from numerous alternate logs, using imfile, imudp, imtcp and extracting from logind, journald, logger, and a few other possible locations showing GUI activity. I have yet to find any logs with GUI account activity.
I'm curious if anyone else has encountered this troubling condition and has any advice on solving it.

Thanks for any feedback.

Stefan Mihajlov · ‎09-18-2025

@MarkDuckson63340

On CSPC 2.11.x, GUI/account activity isn’t sent to syslog by default. It’s written to app logs like:

/opt/cisco/ss/adminshell/logs/lcmlog.log
/opt/LCM/logs/*

To get them into Splunk, add an imfile input in /etc/rsyslog.d/ pointing at those files and forward via TCP/UDP. Restart rsyslog, then check Splunk for events tagged from lcmlog or lcm. That way GUI logins/changes appear in Splunk, since journald alone won’t show them.

Best regards,
Stefan Mihajlov

Mark this post as Helpful if it helped you, and Accept as Solution if it resolved your question.

MarkDuckson63340 · ‎10-07-2025

Hi Stefan,

I was able to finally get the splunk logging to work for CSPC gui login activity - unfortunately, it doesn't look like a simple solution is available for capturing gui user account modifications, i.e., adds/deletes/changes. I can accept your solution as a partial win, most appreciated! i'll need to do some digging around to see if there is a solution for account mods.

Thank you for the solid guidance on imfile/rsyslog.d

MarkDuckson63340 · ‎09-18-2025

Thank you Stefan,

I'll check those log paths and see if I can find anything useful and post back here with an outcome.