Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Monitor cisco router interfaces- Is syslog enough or do I have to use snmp?

bizza
Path Finder
‎10-21-2011 05:19 AM

I'm looking for a way to monitor several router and several interfaces (physical, tunnel...).
I need to extract status (up/down), latency, throughput, ospf status, traffic (applications and/or port used) ecc.

Is syslog enough or i must use snmp?
Does anyone already used splunk in this scenario?

Regards

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎10-22-2011 04:55 PM

At a bare minimum, you should have your Cisco routers sending syslog data to either Splunk directly or a Syslog server that has Splunk monitoring its logfiles. This will give you immediate access to various events such as interface up/down. And, IIRC, Cisco does include some syslog events around things like OSPF adjacency.

As joshd suggested, SNMP via a scripted input is a viable path to some of these measurements. Cisco exposes lots of data via the hundreds of SNMP MIBS supported by IOS. However, some data is a little more difficult to get at. Two good examples are latency and "traffic".

Concerning latency, typically a router does not know end-to-end latency of a specific path. This is just not in its area-of-knowledge, and could be difficult for a single router to know given asymmetric routing and other complications. To accurately measure latency requires something at each site that is actively measuring latency to its peer sites. Open source projects like SmokePing provide agents to accurately measure latency over a distributed network. It would take some effort to integrate SmokePing's measuring agents into Splunk, but it is possible.

For "traffic" -- I assume you mean you'd like to be able to get a reasonable accounting of the various sources and destinations of packets and the protocols/ports they are communicating on. Cisco's best tool for this job is usually Netflow. When configured properly, Cisco routers will send "flow event" records to a Netflow receiver, which can then be plugged in to Splunk. There is already a Splunk for Netflow app that has been developed to provide the necessary Splunk configs and dashboards for visualizing Netflow data.

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎10-22-2011 04:55 PM

At a bare minimum, you should have your Cisco routers sending syslog data to either Splunk directly or a Syslog server that has Splunk monitoring its logfiles. This will give you immediate access to various events such as interface up/down. And, IIRC, Cisco does include some syslog events around things like OSPF adjacency.

As joshd suggested, SNMP via a scripted input is a viable path to some of these measurements. Cisco exposes lots of data via the hundreds of SNMP MIBS supported by IOS. However, some data is a little more difficult to get at. Two good examples are latency and "traffic".

Concerning latency, typically a router does not know end-to-end latency of a specific path. This is just not in its area-of-knowledge, and could be difficult for a single router to know given asymmetric routing and other complications. To accurately measure latency requires something at each site that is actively measuring latency to its peer sites. Open source projects like SmokePing provide agents to accurately measure latency over a distributed network. It would take some effort to integrate SmokePing's measuring agents into Splunk, but it is possible.

For "traffic" -- I assume you mean you'd like to be able to get a reasonable accounting of the various sources and destinations of packets and the protocols/ports they are communicating on. Cisco's best tool for this job is usually Netflow. When configured properly, Cisco routers will send "flow event" records to a Netflow receiver, which can then be plugged in to Splunk. There is already a Splunk for Netflow app that has been developed to provide the necessary Splunk configs and dashboards for visualizing Netflow data.

Reply
Solved! Jump to solution

bizza
Path Finder
‎10-25-2011 05:40 AM

thank you dwaddle, I supposed the same things.
At work now 🙂

0 Karma
Reply
Solved! Jump to solution

joshd
Builder
‎10-21-2011 11:15 AM

Quick and dirty... I would use specific snmpget commands or a generic snmpwalk as a scripted input inside of Splunk to index the stats every-X minutes and then build your reports on that data. The snmpwalk will provide you a more generic way to pull data regardless of configuration changes on the device. I don't do this with my cisco devices specifically but with other devices I will do an snmpwalk like so:

snmpwalk -v 2c -c public 1.1.1.1 -O sQ system

This will return results like so:

sysDescr = "some string"

which easily allows for automatic mapping of fields to values, thus your reports are easily generated without any need for field extractions, etc...

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...