Cisco Networks Splunk App

In this post, I'm going to veer away from the network security side of Splunk and more on the network operations side of things by introducing the Cisco Networks Splunk app. This app will gather syslog and Call Home data from various network devices in the network and visualize it in some rather interesting ways. 

Prior to configuring this, I downloaded and installed the following apps onto my Splunk instance:

  • Cisco Networks Add-on - https://splunkbase.splunk.com/app/1467/
  • Cisco Networks App - https://splunkbase.splunk.com/app/1352/#/overview

Prior to configuring the data sources on Splunk, I went ahead and configure my various routers, switches, wireless controllers, FTD appliance, and access points to send syslog and Call Home data to Splunk. 

For the IOS devices such as my routers and switches, I configured various parts of syslog as follows:

- Configuring syslog to be sent to Splunk:

service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service sequence-numbers
logging trap informational
logging host 10.1.100.20 transport udp port 514

 

- Turning on archiving and logging for it:

archive
 log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys

login on-failure log
login on-success log
logging userinfo

- Logging interface changes globally:

logging event trunk-status global
logging event link-status global

- Logging at the interface and SVI level:

interface X
logging event trunk-status
logging event spanning-tree
logging event status

- Monitoring MAC moves, STP logging, IP SLA, NTP, etc:

mac address-table notification mac-move
spanning-tree logging
ip sla logging traps
ip dhcp limit lease log
ip dhcp conflict logging
ip nat log translations syslog
xconnect logging pseudowire status
ntp logging
epm logging

 

- Logging ARP thresholds on the SVIs and interfaces:

interface X
arp log threshold entries 2048

 

- Logging Trustsec:

cts sxp log binding-changes
cts logging verbose

 

- ACL Logging:

ip access-list logging hash-generation

 

- CPU and memory utilization logging:

process cpu threshold type total rising 80 interval 5
memory free low-watermark processor 20000
memory free low-watermark io 20000

 

- Smart Call Home:

ip http client source-interface vlan 100

service call-home  
call-home  
 contact-email-addr "katmac@katmac.com"
 site-id "Security Demo Lab"
 profile "Splunk"  
  destination transport-method http  
  destination address http http://10.1.100.20:847
  subscribe-to-alert-group diagnostic severity debug  
  subscribe-to-alert-group environment severity debug  
  subscribe-to-alert-group inventory  
  subscribe-to-alert-group inventory periodic daily 22:30

On the wireless controller, I configured Splunk as the syslog server under Management>Logs>Config as shown below and ended up changing the syslog level to informational.

 

If you would like to configure the access points to send their syslog data to Splunk as well, I would recommend first making sure there is a DHCP reservation for the access points. After that's done, log into the wireless controller and issue the following command:

config ap syslog host global 10.1.100.20

This will push the configuration to the APs to send syslog data to Splunk. 

In Splunk, we are now going to configure the data sources. Go to Add Data and choose TCP/UDP. On the first page, configure the following:

  • UDP
  • Port: 514
  • Only access connection from: hostname or IP of the device sending the syslog traffic

Click Next

On the next page, configure the following:

  • Source type: cisco:ios
  • Host: IP
  • Index: Default or whichever one you would like

Click Review and finish the configuration.

For the devices you configured for Call Home, you will go back to Add Data and under TCP/UDP, choose the following:

  • TCP
  • Port: 847 (Note: I chose this port at random and configured it above on the IOS devices. You could pick one of your own)
  • Only accept connection from: IP or hostname of the device sending the call home data

Click Next.

On the next page, configure the following:

  • Source type: Cisco:SmartCallHome
  • Host: IP
  • Index: Default or whichever index you created

Click Review and finish.

After you finish configuring your data sources, go to the Cisco Networks app. You should now see data starting to populate on the dashboard.

As one can see, the data can be parsed easily by IOS device, WLC, or APs to show different views of each quickly as shown below.

Below is an example of the configuration change transactions as logged on Splunk: