I have installed cisco security suite apps. This apps does not seem to have good ios analysis capability. There is a cisco_ios apps in splunk base, which is more secific to IOS analysis. However, the problem is both does not work together as they seem to have defined same sourcetype.
Anyone using cisco security and cisco_IOS at the same time? If yes, how? If not, if there any alternative?
OK i got it working.
what I had to do is change the sourcetype in the props.con file change the section [CISCO:IOS] to something like [CISCO_IOS_]
And change the relevant section section header in transform.conf from [CISCO:IOS] to [CISCO_IOS_].
Thats all I needed to change and it now happily works with Cisco security apps.
We have splunk Enterprise server on our platform and i am sending all cisco switches log to the server.
The problem we are facing at the moment is there are no hits on the cisco APP , can you please advise.
the sourcetype i tried using all three syslog , cisco:ios , cisco_ios . none of them worked.
attached are the screen shots
FYI: You should create a new question, not post an answer to an existing question.
I believe the problem you are facing is the fact that you do not have the Cisco Networks Add-On for Splunk installed on your search head and indexers. This would explain why we are not seeing any fields extracted. Either that or you changed the permissions of the app's objects to not be exported globally.
You need both the App and Add-on on the search head. The indexer needs to Add-on.
You will need to restart the server after you install the apps/add-ons before they come into effect
We have splunk Enterprise server on our platform and i am sending from our cisco switches log to the server.
The problem we are facing at the moment is there are no hits on the cisco APP , can you please advise.
the sourcetype i tried using all three syslog , cisco:ios , cisco_ios . none of them worked.
If you run version 3.0 or later of the Cisco Security Suite this should no longer be an issue. I have both apps running on multiple customer installs without issues.
can you offer up a bit more info on where these files are and exactly what they should contain? I find that most of the "addons" provided, especially where Cisco is concerned, LACK alot of documentation that will help a first timer/splunk newbie.
OK i got it working.
what I had to do is change the sourcetype in the props.con file change the section [CISCO:IOS] to something like [CISCO_IOS_]
And change the relevant section section header in transform.conf from [CISCO:IOS] to [CISCO_IOS_].
Thats all I needed to change and it now happily works with Cisco security apps.
Anyone any clue?