All Apps and Add-ons

Cisco ios apps

ashabc
Contributor

I have installed cisco security suite apps. This apps does not seem to have good ios analysis capability. There is a cisco_ios apps in splunk base, which is more secific to IOS analysis. However, the problem is both does not work together as they seem to have defined same sourcetype.

Anyone using cisco security and cisco_IOS at the same time? If yes, how? If not, if there any alternative?

0 Karma
1 Solution

ashabc
Contributor

OK i got it working.
what I had to do is change the sourcetype in the props.con file change the section [CISCO:IOS] to something like [CISCO_IOS_]

And change the relevant section section header in transform.conf from [CISCO:IOS] to [CISCO_IOS_].

Thats all I needed to change and it now happily works with Cisco security apps.

View solution in original post

0 Karma

karampudi1116
Engager

We have splunk Enterprise server on our platform and i am sending all cisco switches log to the server.
The problem we are facing at the moment is there are no hits on the cisco APP , can you please advise.

the sourcetype i tried using all three syslog , cisco:ios , cisco_ios . none of them worked.

attached are the screen shots
alt text

alt text

0 Karma

mikaelbje
Motivator

FYI: You should create a new question, not post an answer to an existing question.

I believe the problem you are facing is the fact that you do not have the Cisco Networks Add-On for Splunk installed on your search head and indexers. This would explain why we are not seeing any fields extracted. Either that or you changed the permissions of the app's objects to not be exported globally.

You need both the App and Add-on on the search head. The indexer needs to Add-on.
You will need to restart the server after you install the apps/add-ons before they come into effect

0 Karma

karampudi1116
Engager

We have splunk Enterprise server on our platform and i am sending from our cisco switches log to the server.
The problem we are facing at the moment is there are no hits on the cisco APP , can you please advise.

the sourcetype i tried using all three syslog , cisco:ios , cisco_ios . none of them worked.

0 Karma

mikaelbje
Motivator

If you run version 3.0 or later of the Cisco Security Suite this should no longer be an issue. I have both apps running on multiple customer installs without issues.

0 Karma

dclick
New Member

can you offer up a bit more info on where these files are and exactly what they should contain? I find that most of the "addons" provided, especially where Cisco is concerned, LACK alot of documentation that will help a first timer/splunk newbie.

0 Karma

ashabc
Contributor

OK i got it working.
what I had to do is change the sourcetype in the props.con file change the section [CISCO:IOS] to something like [CISCO_IOS_]

And change the relevant section section header in transform.conf from [CISCO:IOS] to [CISCO_IOS_].

Thats all I needed to change and it now happily works with Cisco security apps.

0 Karma

ashabc
Contributor

Anyone any clue?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...