Cisco Networks Add-on for Splunk Enterprise
Overview
Details
Install this Add-On on your search head and indexers/heavy forwarders. Install the Cisco Networks (cisco_ios) App on your search head.
The Cisco Networks Add-on (TA-cisco_ios) sets the correct sourcetype and fields used for identifying data from Cisco IOS, IOS XE, IOS XR, NX-OS devices using Splunk® Enterprise.
Install this Add-on on your search head and indexers/heavy forwarders. Install the Cisco Networks (cisco_ios) App on your search head.
Supported data inputs:
- Syslog
- Smart Call Home (HTTP XML)
Please post a question on Splunk Answers and tag it with "Cisco Networks Add-on" if there is anything you would like to see in this app.
Application Details
Sourcetype(s): cisco:ios, Cisco:SmartCallHome
Supported Technologies: Cisco IOS, IOS-XE, NX-OS, IOS XR, WLC devices
Installation Instructions
The Cisco Networks Add-on can be downloaded, installed, and configured to receive Cisco IOS and WLC data by either using the Splunk app setup screen or by manually installing and configuring the app.
This app does not add any new inputs, it merely rewrites syslog events matching the IOS format. You need to already have IOS events coming in as the syslog OR cisco:ios sourcetype.
Setup and configuration
1. Install in $SPLUNK_HOME/etc/apps/TA-cisco_ios
2. Make sure your Cisco devices by default log to one of the following sourcetypes: cisco:ios OR syslog (A regex match will be performed to rewrite the events to the cisco:ios sourcetype)
3. (OPTIONAL for Smart Call Home support)
3.1. OPTIONAL - Add a new TCP data input on a port of your choice, set sourcetype to Cisco:SmartCallHome
3.2. OPTIONAL - On your Cisco devices:
service call-home
call-home
contact-email-addr YOUR.EMAIL@ADDR.ESS
site-id "YOUR_SITE_NAME"
profile "Splunk"
destination transport-method http
destination address http http://SPLUNK.SERVER.IP:TCP_PORT_FROM_3.1
subscribe-to-alert-group diagnostic severity debug
subscribe-to-alert-group environment severity debug
subscribe-to-alert-group inventory
subscribe-to-alert-group inventory periodic daily 22:30
--
4. Restart Splunk
Getting Help
- Consult Splunk Answers
- Contact the author: mikael@bjerkeland.com
Release Notes
Version 2.3.0
New features
Cisco Networks Add-on includes the following new features:
- Direct AP logging now supported. product field can now hold a value of IOS, WLC or IOS
- IP version agnostic IP extractions
- Lookup of ICMP codes and types in ACL logs
Fixed issues
Version 2.3.0 of the Cisco Networks Add-on fixes the following issues:
- Transform corrected in case of missing reported_hostname. General field extraction also edited.
- EVAL searchmatch action lookup not working correctly due to conflict with vendor_action lookup. Will need to be fixed by moving all the searchmatches to vendor_action_lookup
- Field extractions for Nexus interface admin changes + tags
- Normalization of src_int in case it contains whitespaces, i.e. "vlan 3333" is now "vlan3333"
Known issues
Version 2.3.0 of the Cisco Networks Add-on has the following known issues:
- None known
Version 2.2.1
New features
Cisco Networks Add-on includes the following new features:
- Moved a few extractions to transforms.conf.
- Added extraction for SEC_LOGIN-1-QUIET_MODE_ON
- Regex routing contributions from seismiccollission
- product field lookup now done based on presence of fields. This results in WLC or IOS as the two possible products
Version 2.2.0
New features
Cisco Networks Add-on includes the following new features:
- Five new extractions: ARP Inspection, IP Source guard, Storm Control
Fixed issues
Version 2.2.0 of the Cisco Networks Add-on fixes the following issues:
- Removed cisco_ios_hosts_last_period lookup
- ap_mac and src_mac issues for wireless resolved
Known issues
Version 2.2.0 of the Cisco Networks Add-on has the following known issues:
- EVAL searchmatch action lookup not working correctly due to conflict with vendor_action lookup
Version 2.1.0
+++ 2.1.0 (2014-11-10)
Features:
NAME CHANGED to Cisco Networks Add-on.
RFC5424 support (untested). Rewrites sourcetype rfc5424_syslog to cisco:ios if it matches. Also extracts fields
Version 2.0.0
++ What's New
+++ 2.0.0 (2014-09-19)
Features:
* CIM compliance
MAKE SURE YOU REMOVE EARLIER VERSIONS OF THIS APP BEFORE INSTALLING THIS VERSION!
Version 1.6.0
++ What's New
+++ 1.6.0 (2014-07-21)
Features:
Lots of new extractions
Nexus ACL extractions
IOS Firewall extracts. Thanks Patrick Preuss!
Cisco IOS XE extraction fix for 4451. Thanks
Bug fixes:
* Cisco IOS Messages CSV file moved from this app to the Cisco IOS app.
Version 1.5.0
++ What's New
+++ 1.5.0 (2014-05-08)
Features:
* Added lookup file for Cisco System Messages for the following devices:
- Nexus 7000, MDS 9000
- Catalyst 2960, 3750 etc
- Catalyst 4500
- Catalyst 6500
- WLC 5500
There are duplicates. I will review them at a later time
Version 1.2.2
+++ 1.2.2 (2014-04-23)
Features:
* 16 new extractions:
extract_cisco_ios-ILPOWER-3-CONTROLLER_PORT_ERR
extract_cisco_ios-SYS-CPUHOG
extract_cisco_ios-SYS-CPUHOG-2
extract_cisco_ios-LDP-5-SP
extract_cisco_ios-DHCP-6-ADDRESS_ASSIGN
extract_cisco_ios-CLEAR-5-COUNTERS
extract_cisco_ios-OSPF-4-ERRRCV
extract_cisco_ios-CERM-4-RX_TX_BW_LIMIT
extract_cisco_ios-SYS-5-PRIV_I
extract_cisco_ios-UDLD-4-UDLD_PORT_DISABLED
extract_cisco_ios-AUTHMGR-5-SECURITY_VIOLATION
extract_cisco_ios-TRACKING-5-STATE
extract_cisco_ios-RTT-6-SAATHRESHOLD
extract_cisco_ios-EC-5-L3DONTBNDL
extract_cisco_ios-EC-5-PORTDOWN
extract_cisco_ios-EC-5-STAYDOWN
Version 1.2.1
+++ 1.2.1 (2014-02-17)
Features:
This app must now be installed on both the search head AND indexer
We no longer rewrite the indexer to the "ios" index
+++ 1.2.0 (2014-01-09)
Features: Added props, transforms, tags to this app for CIM compliance
Version 1.0.4
+++ 1.0.4 (2013-09-20)
Features: IOS XR support
Version 1.0.3
+++ 1.0.3 (2013-08-12)
Bug fixes: Don't capture ACS events, be stricter on capturing
Version 1.0.2
+++ 1.0.2 (2013-06-07)
Bug fixes:
* Don't capture UCSM events
Version 1.0.1
+++ 1.0.1 (2013-04-23)
Bug fixes:
* Fixed extraction of mnemonic and facility with integers in it