Getting Data In

How to add Cisco IOS network switches as an input?

dngadmin
New Member

Hi All,

I'm a Splunk Newbie. Last night while troubleshooting a network loop I was advised by Cisco support to set up a logging server and to have all our switches dump their logs to this server on a regular basis. Without doing much looking, Splunk came to mind as it is often brought up on a tech podcast I listen to. Fast forward to now, I've installed Splunk on a Windows Server 2008R2 instance and added the Cisco apps, now I'm not really sure how to get the switches sending their logs to the server. Are there any good walk-throughs out there I could follow?

Thanks

0 Karma

mikaelbje
Motivator

Hi,

Add a Data Input in Splunk through Settings - Data Inputs. Click UDP and type in port 514.

See the Help page of the Cisco Networks app for the specific settings for your switches.

You need both the Cisco Networks App as well as the Cisco Networks Add-on

0 Karma

splunk_zen
Builder

Splunk recommend using a syslog server rather than using splunk to listen on UDP

0 Karma

mnatkin_splunk
Splunk Employee
Splunk Employee

Hello.

Cisco's IOS products support syslog as the network protocol over which logs are sent. There's 2 parts to the answer:

1) Configuring the IOS devices to send their logs. Refer to the Cisco documentation relevant to your devices for details. Generally, it's a matter of defining the syslog destination and the log level. An example may look something like this:

service timestamps log datetime
service timestamps debug datetime
service sequence-numbers
logging 169.254.123.234
logging trap 5

where 169.254.123.234 is your syslog server, and you're capturing NOTICE or higher log messages.

2) Configure a syslog server. Here, you have 2 choices:
.......(1) Install and configure a stand-alone syslog server (such as rsyslog, syslog-ng, or Kiwi). Your Cisco devices will sed their logs to this syslog server, which writes the files down to disk. A Splunk Universal Forwarder can grab the files from there. http://docs.splunk.com/Documentation/Splunk/6.6.1/Data/Monitorfilesanddirectories provides some decent insight on general file and directory monitoring. There are a few other Answers posts you may reference on this topic.
.......(2) Configure Splunk to listen for syslog. You can configure a standard UDP input on port 514 for this (Splunk natively can listen for syslog). There's some great documentation on configuring this at http://docs.splunk.com/Documentation/Splunk/6.6.1/Data/Monitornetworkports and
http://docs.splunk.com/Documentation/Splunk/6.6.1/Data/HowSplunkEnterprisehandlessyslogdata

We generally recommend that customers use a syslog server, as it provides a framework for handling heterogenous sourcetypes without a lot of effort. For relatively simple environments (limited sourcetypes), the syslog input is Ok, too.

Best of luck in your endeavours!

adonio
Ultra Champion

hello there,
i dont remember from the top of my head the exact setting but quick search in your favorite search engine probably will get you results of how to enable logging on your switch. you will also want to open port and point the data to your windows splunk ip or fqdn at the port.
from splunk perspective, open port (enable listening) to the port your switch will send data through. many times it will default to udp 514
docs here:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports
hope it helps

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...