All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cisco ios apps

ashabc
Contributor
‎11-01-2013 03:59 PM

I have installed cisco security suite apps. This apps does not seem to have good ios analysis capability. There is a cisco_ios apps in splunk base, which is more secific to IOS analysis. However, the problem is both does not work together as they seem to have defined same sourcetype.

Anyone using cisco security and cisco_IOS at the same time? If yes, how? If not, if there any alternative?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ashabc
Contributor
‎11-09-2013 02:04 AM

OK i got it working.
what I had to do is change the sourcetype in the props.con file change the section [CISCO:IOS] to something like [CISCO_IOS_]

And change the relevant section section header in transform.conf from [CISCO:IOS] to [CISCO_IOS_].

Thats all I needed to change and it now happily works with Cisco security apps.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

karampudi1116
Engager
‎07-28-2015 09:50 AM

We have splunk Enterprise server on our platform and i am sending all cisco switches log to the server.
The problem we are facing at the moment is there are no hits on the cisco APP , can you please advise.

the sourcetype i tried using all three syslog , cisco:ios , cisco_ios . none of them worked.

attached are the screen shots
alt text

alt text

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

mikaelbje
Motivator
‎07-29-2015 01:32 AM

FYI: You should create a new question, not post an answer to an existing question.

I believe the problem you are facing is the fact that you do not have the Cisco Networks Add-On for Splunk installed on your search head and indexers. This would explain why we are not seeing any fields extracted. Either that or you changed the permissions of the app's objects to not be exported globally.

You need both the App and Add-on on the search head. The indexer needs to Add-on.
You will need to restart the server after you install the apps/add-ons before they come into effect

0 Karma
Reply
Solved! Jump to solution

karampudi1116
Engager
‎07-28-2015 09:46 AM

We have splunk Enterprise server on our platform and i am sending from our cisco switches log to the server.
The problem we are facing at the moment is there are no hits on the cisco APP , can you please advise.

the sourcetype i tried using all three syslog , cisco:ios , cisco_ios . none of them worked.

0 Karma
Reply
Solved! Jump to solution

mikaelbje
Motivator
‎04-17-2014 01:58 AM

If you run version 3.0 or later of the Cisco Security Suite this should no longer be an issue. I have both apps running on multiple customer installs without issues.

0 Karma
Reply
Solved! Jump to solution

dclick
New Member
‎02-28-2014 06:06 AM

can you offer up a bit more info on where these files are and exactly what they should contain? I find that most of the "addons" provided, especially where Cisco is concerned, LACK alot of documentation that will help a first timer/splunk newbie.

0 Karma
Reply
Solved! Jump to solution
Solution

ashabc
Contributor
‎11-09-2013 02:04 AM

OK i got it working.
what I had to do is change the sourcetype in the props.con file change the section [CISCO:IOS] to something like [CISCO_IOS_]

And change the relevant section section header in transform.conf from [CISCO:IOS] to [CISCO_IOS_].

Thats all I needed to change and it now happily works with Cisco security apps.

0 Karma
Reply
Solved! Jump to solution

ashabc
Contributor
‎11-05-2013 04:23 AM

Anyone any clue?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...