All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Cisco ios apps

ashabc
Contributor
‎11-01-2013 03:59 PM

I have installed cisco security suite apps. This apps does not seem to have good ios analysis capability. There is a cisco_ios apps in splunk base, which is more secific to IOS analysis. However, the problem is both does not work together as they seem to have defined same sourcetype.

Anyone using cisco security and cisco_IOS at the same time? If yes, how? If not, if there any alternative?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ashabc
Contributor
‎11-09-2013 02:04 AM

OK i got it working.
what I had to do is change the sourcetype in the props.con file change the section [CISCO:IOS] to something like [CISCO_IOS_]

And change the relevant section section header in transform.conf from [CISCO:IOS] to [CISCO_IOS_].

Thats all I needed to change and it now happily works with Cisco security apps.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

karampudi1116
Engager
‎07-28-2015 09:50 AM

We have splunk Enterprise server on our platform and i am sending all cisco switches log to the server.
The problem we are facing at the moment is there are no hits on the cisco APP , can you please advise.

the sourcetype i tried using all three syslog , cisco:ios , cisco_ios . none of them worked.

attached are the screen shots
alt text

alt text

Preview file
66 KB
Preview file
30 KB
0 Karma
Reply
Solved! Jump to solution

mikaelbje
Motivator
‎07-29-2015 01:32 AM

FYI: You should create a new question, not post an answer to an existing question.

I believe the problem you are facing is the fact that you do not have the Cisco Networks Add-On for Splunk installed on your search head and indexers. This would explain why we are not seeing any fields extracted. Either that or you changed the permissions of the app's objects to not be exported globally.

You need both the App and Add-on on the search head. The indexer needs to Add-on.
You will need to restart the server after you install the apps/add-ons before they come into effect

0 Karma
Reply
Solved! Jump to solution

karampudi1116
Engager
‎07-28-2015 09:46 AM

We have splunk Enterprise server on our platform and i am sending from our cisco switches log to the server.
The problem we are facing at the moment is there are no hits on the cisco APP , can you please advise.

the sourcetype i tried using all three syslog , cisco:ios , cisco_ios . none of them worked.

0 Karma
Reply
Solved! Jump to solution

mikaelbje
Motivator
‎04-17-2014 01:58 AM

If you run version 3.0 or later of the Cisco Security Suite this should no longer be an issue. I have both apps running on multiple customer installs without issues.

0 Karma
Reply
Solved! Jump to solution

dclick
New Member
‎02-28-2014 06:06 AM

can you offer up a bit more info on where these files are and exactly what they should contain? I find that most of the "addons" provided, especially where Cisco is concerned, LACK alot of documentation that will help a first timer/splunk newbie.

0 Karma
Reply
Solved! Jump to solution
Solution

ashabc
Contributor
‎11-09-2013 02:04 AM

OK i got it working.
what I had to do is change the sourcetype in the props.con file change the section [CISCO:IOS] to something like [CISCO_IOS_]

And change the relevant section section header in transform.conf from [CISCO:IOS] to [CISCO_IOS_].

Thats all I needed to change and it now happily works with Cisco security apps.

0 Karma
Reply
Solved! Jump to solution

ashabc
Contributor
‎11-05-2013 04:23 AM

Anyone any clue?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...