Solved: Re: Does Splunk Stream support Cisco's High Speed ...

edlarsen · ‎01-23-2017

Does Splunk Stream support Cisco's High Speed Logging (HSL) data input via a NetFlow v9 stream? How will Splunk Stream handle Cisco's High Speed Logging (HSL) "extension" to NetFlow v9?

Cisco ISR 4331 routers can not forward standard firewall logging data as syslog output and instead export this type of data as NetFlow template and data records. IS Splunk Stream capable of receiving and interpreting these types of NetFlow records? Is version 7.0.1 of Splunk Stream capable of receiving and correctly interpreting Netflow v.9 High Speed Logging (HSL) flow data generated by Cisco ISR 4331 routers? This use case for NetFlow can also be referred to as template-based or "flexible Netflow".

Thanks.

tpeveler_splunk · ‎01-30-2017

Splunk Stream v7.0 (https://splunkbase.splunk.com/app/1809/) supports vendor extensions to NetFlow and its a documented feature. However, the configuration details are currently not in the Stream documentation. You should be able to work with your Splunk account team to configure the Cisco extensions within Stream.

View solution in original post

aaraneta_splunk · ‎02-11-2017

@edlarsen - Did one of the answers below help answer your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

tpeveler_splunk · ‎01-30-2017

Splunk Stream v7.0 (https://splunkbase.splunk.com/app/1809/) supports vendor extensions to NetFlow and its a documented feature. However, the configuration details are currently not in the Stream documentation. You should be able to work with your Splunk account team to configure the Cisco extensions within Stream.

edlarsen · ‎01-30-2017

When I reviewed the latest documentation for Stream, I did take notice that IPFix extensions could be accommodated, but did not see the same statement made about extensions to NetFlow. If this is on fact a supported product capability of Stream v.7.x, it will certainly be one of the options we will want to consider.

edlarsen · ‎03-21-2017

Just a quick update: We are currently working to prototype this solution in our lab. More to come.

neutronscott · ‎09-15-2017

I want more. Where's the more? 🙂

edlarsen · ‎09-19-2017

For those who were waiting for more.... 😉

We did move beyond the lab prototyping phase with this solution and now have routers within approximately 90 offices forwarding HSL events into Splunk without issue.

dcavuto_splunk · ‎09-20-2017

Hi @edlarsen! I'm the PM for Stream, and while we've done some work with HSL in-house, we don't have a standard configuration that we recommend for the HSL vendor extensions.

Is that something you'd be willing to share with the community or directly with the Splunk team?

vshcherbakov_sp · ‎01-30-2017

Stream supports both Netflow v9 and IPFIX vendor extensions custom config. As @tpeveler mentioned, it's currently an advanced/manually implemented config work that requires Professional Services

NetFlow_Logic · ‎01-28-2017

I am with NetFlow Logic. We are a Splunk partner and do support HSL, if that's needed. You can find out more information about us by searching for 'HSL' in Splunkbase or reach out to me directly.

vshcherbakov_sp · ‎01-27-2017

I don't have much experience with HSL, but it appears to be an extension to the standard Netflow v9 protocol. Stream currently has limited capabilities to implement custom field mapping that requires Professional Services engagement, so I'd suggest talking to your account team about that.

Does Splunk Stream support Cisco's High Speed Logging (HSL) data input via a NetFlow v9 stream?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk