- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Cisco switch not showing logs on Splunk Server
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cisco switch not showing logs on Splunk Server
Hi Experts,
I have configured my Splunk server to as a receiver on port 9997 and my unix/Linux UFs are forwarding data properly to splunk server. My cisco switch 6500 is configured for sending logs to this splunk server on tcp port 9997, but I cannot see any logs on the Splunk server from the switch.
Pleae help me resolve following issues ?
- How can I check whether the logs are received by Splunk server ?
- Whether I need to configure any port other than 9997 to receive logs from cisco switch ?
Thanks
Pankaj
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The data you're sending on port 9997 from your UF's is in a format that's very specific to Splunk and is only used for forwarding logs from a Splunk instance (like a forwarder) to another Splunk instance. Your Cisco switches, on the other hand, are probably sending syslog which is a completely different format. In order to receive this, you need to set up a port in Splunk for receiving raw TCP or UDP data (depending on if you're sending TCP or UDP from your switches) and then redirect your switches to send to that port instead. Syslog data is commonly sent to port 514.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, that is beyond the scope of a simple splunkbase answer I think. It's OK to ask specific questions about specific problems but for very generic "step-by-step" requests like this I think the better option is to dive into the problem yourself first of all and come back if you've encountered specific problems.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Ayn for your reply. I figured out that and now I am able to see the logs from my cisco devices. I enabled udp 9997 on my splunk server and configured cisco switch/firewall to send logs to Splunk.
Now, I want to know what all reports and dashboards I can create using the syslogs from CISCO switches/firewalls. Actually, I want to generate a event co-relation use case to show it to my management. For that, I have added one application environment which include one web, app and db server OS logs, also network and firewall logs. Can you guide me to generate a use case from Application level to server level including network wherein I can show some event co-relation. Any ideas ?
Thanks Pankaj
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
