All Apps and Add-ons

Does Splunk Stream support Cisco's High Speed Logging (HSL) data input via a NetFlow v9 stream?

edlarsen
New Member

Does Splunk Stream support Cisco's High Speed Logging (HSL) data input via a NetFlow v9 stream? How will Splunk Stream handle Cisco's High Speed Logging (HSL) "extension" to NetFlow v9?

Cisco ISR 4331 routers can not forward standard firewall logging data as syslog output and instead export this type of data as NetFlow template and data records. IS Splunk Stream capable of receiving and interpreting these types of NetFlow records? Is version 7.0.1 of Splunk Stream capable of receiving and correctly interpreting Netflow v.9 High Speed Logging (HSL) flow data generated by Cisco ISR 4331 routers? This use case for NetFlow can also be referred to as template-based or "flexible Netflow".

Thanks.

0 Karma
1 Solution

tpeveler_splunk
Splunk Employee
Splunk Employee

Splunk Stream v7.0 (https://splunkbase.splunk.com/app/1809/) supports vendor extensions to NetFlow and its a documented feature. However, the configuration details are currently not in the Stream documentation. You should be able to work with your Splunk account team to configure the Cisco extensions within Stream.

View solution in original post

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@edlarsen - Did one of the answers below help answer your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma

tpeveler_splunk
Splunk Employee
Splunk Employee

Splunk Stream v7.0 (https://splunkbase.splunk.com/app/1809/) supports vendor extensions to NetFlow and its a documented feature. However, the configuration details are currently not in the Stream documentation. You should be able to work with your Splunk account team to configure the Cisco extensions within Stream.

0 Karma

edlarsen
New Member

When I reviewed the latest documentation for Stream, I did take notice that IPFix extensions could be accommodated, but did not see the same statement made about extensions to NetFlow. If this is on fact a supported product capability of Stream v.7.x, it will certainly be one of the options we will want to consider.

0 Karma

edlarsen
New Member

Just a quick update: We are currently working to prototype this solution in our lab. More to come.

0 Karma

neutronscott
New Member

I want more. Where's the more? 🙂

0 Karma

edlarsen
New Member

For those who were waiting for more.... 😉

We did move beyond the lab prototyping phase with this solution and now have routers within approximately 90 offices forwarding HSL events into Splunk without issue.

0 Karma

dcavuto_splunk
Splunk Employee
Splunk Employee

Hi @edlarsen! I'm the PM for Stream, and while we've done some work with HSL in-house, we don't have a standard configuration that we recommend for the HSL vendor extensions.

Is that something you'd be willing to share with the community or directly with the Splunk team?

0 Karma

vshcherbakov_sp
Splunk Employee
Splunk Employee

Stream supports both Netflow v9 and IPFIX vendor extensions custom config. As @tpeveler mentioned, it's currently an advanced/manually implemented config work that requires Professional Services

0 Karma

NetFlow_Logic
Contributor

I am with NetFlow Logic. We are a Splunk partner and do support HSL, if that's needed. You can find out more information about us by searching for 'HSL' in Splunkbase or reach out to me directly.

0 Karma

vshcherbakov_sp
Splunk Employee
Splunk Employee

I don't have much experience with HSL, but it appears to be an extension to the standard Netflow v9 protocol. Stream currently has limited capabilities to implement custom field mapping that requires Professional Services engagement, so I'd suggest talking to your account team about that.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...