All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cisco Security apps not doing anything with my Cisco log data

mfrost8
Builder
‎06-13-2011 02:16 PM

Our networking team has sent us some of their syslog data from Cisco Nexus 7000 switches and Catalyst 6500 switches. I was expecting that I could point this into Splunk for Cisco Security and/or some of the other Splunk for Cisco apps. I'm finding that these apps don't do anything with these events.

The heart of the matter seems to be that the Splunk for Cisco apps all rely on setting sourcetypes either to do field extractions (like src_ip and dest_ip) or to use in searches/eventtypes. The sourcetype-setting things I see in the apps (most in the Cisco Firewalls app) set those sourcetypes based on the existence of a string in the event. My problem is that none of those strings exist in the events I have. Therefore no sourcetypes get set beyond what I set myself and the Cisco apps do nothing.

'%' strings that occur in the events I'm looking at are:

%AFLSEC-6-OALDP
%SEC-6-IPACCESSLOGP
%ACLLOG-6-ACLLOG_FLOW_INTERVAL
%SIBYTE-SW1_DFC9-4-SB_EXCESS_COLL

for instance. I don't believe any of these uniquely identify the device, but from what I can see, they're definitely security-related messages so I would think they'd be appropriate for the apps.

I'm trying to figure out how/if I can make the Splunk for Cisco apps useful for these events if possible.

Am I doing something wrong?

Thanks

Reply
1 Solution
Solved! Jump to solution
Solution

mfrost8
Builder
‎08-25-2011 09:23 AM

The answer here ended up being that the info being loaded were what I believe were called "extended ACL data". That information is not recognized by any of the Cisco apps neither for field extractions nor for any dashboards. We wrote our own field extractions for the data and will eventually create some dashboards.

FYI.

View solution in original post

Reply
Solved! Jump to solution
Solution

mfrost8
Builder
‎08-25-2011 09:23 AM

The answer here ended up being that the info being loaded were what I believe were called "extended ACL data". That information is not recognized by any of the Cisco apps neither for field extractions nor for any dashboards. We wrote our own field extractions for the data and will eventually create some dashboards.

FYI.

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...