Does Splunk Stream support Cisco's High Speed Logging (HSL) data input via a NetFlow v9 stream? How will Splunk Stream handle Cisco's High Speed Logging (HSL) "extension" to NetFlow v9?
Cisco ISR 4331 routers can not forward standard firewall logging data as syslog output and instead export this type of data as NetFlow template and data records. IS Splunk Stream capable of receiving and interpreting these types of NetFlow records? Is version 7.0.1 of Splunk Stream capable of receiving and correctly interpreting Netflow v.9 High Speed Logging (HSL) flow data generated by Cisco ISR 4331 routers? This use case for NetFlow can also be referred to as template-based or "flexible Netflow".
I don't have much experience with HSL, but it appears to be an extension to the standard Netflow v9 protocol. Stream currently has limited capabilities to implement custom field mapping that requires Professional Services engagement, so I'd suggest talking to your account team about that.
I am with NetFlow Logic. We are a Splunk partner and do support HSL, if that's needed. You can find out more information about us by searching for 'HSL' in Splunkbase or reach out to me directly.
Splunk Stream v7.0 (https://splunkbase.splunk.com/app/1809/) supports vendor extensions to NetFlow and its a documented feature. However, the configuration details are currently not in the Stream documentation. You should be able to work with your Splunk account team to configure the Cisco extensions within Stream.
When I reviewed the latest documentation for Stream, I did take notice that IPFix extensions could be accommodated, but did not see the same statement made about extensions to NetFlow. If this is on fact a supported product capability of Stream v.7.x, it will certainly be one of the options we will want to consider.
Stream supports both Netflow v9 and IPFIX vendor extensions custom config. As @tpeveler mentioned, it's currently an advanced/manually implemented config work that requires Professional Services
Just a quick update: We are currently working to prototype this solution in our lab. More to come.
For those who were waiting for more.... 😉
We did move beyond the lab prototyping phase with this solution and now have routers within approximately 90 offices forwarding HSL events into Splunk without issue.
Hi @edlarsen! I'm the PM for Stream, and while we've done some work with HSL in-house, we don't have a standard configuration that we recommend for the HSL vendor extensions.
Is that something you'd be willing to share with the community or directly with the Splunk team?