Hello, firstly let me say thanks for making such a great app available.
I've setup "Technology Add-On for Cisco IOS" and "Cisco IOS" on a test server. I get data on UDP 514, and it is collecting events from devices. However, I'm not able to get information such as device models, serials, CDP, etc. How do I configure this app in order to get those parameters populated.
TIA
Hi!
Thanks for your feedback. The best way to thank me is to give the apps a rating on apps.splunk.com 🙂
Currently the app supports receiving data from two sources:
It does not support getting CDP info as this is info you normally need to get through SNMP, however if you have Nexus devices, discovered CDP neighbors are in fact logged as syslog events, but this only happens when they are connected, so you won't get any data from already connected devices. The traditional Catalyst series don't log discovered CDP neighbors.
I am currently working on a Splunk App for Cisco Prime Infrastructure as well, and this will support getting extended device information from devices as well as details about their interfaces, CDP/LLDP neighbors etc. This app will fit together with the Cisco IOS app. It will also support getting the same kind of information from other device types in Cisco Prime Infrastructure such as ASAs.
I do not have an ETA on the Cisco Prime Infrastructure app yet, but you can get some device info from your devices by doing the following:
1.1. Add a new TCP data input on a port of your choice, set sourcetype to Cisco:SmartCallHome
Make sure this input resolves hostnames if your UDP 514 input also resolves hostnames as the hostname/IP is what we use to join the data sources.
service call-home
call-home
contact-email-addr YOUR.EMAIL@ADDR.ESS
site-id "YOUR_SITE_NAME"
profile "Splunk"
destination transport-method http
destination address http http://SPLUNK.SERVER.IP:TCP_PORT_FROM_1.2
subscribe-to-alert-group diagnostic severity debug
subscribe-to-alert-group environment severity debug
subscribe-to-alert-group inventory
You need a fairly recent IOS version for Smart Call Home support. Also note that Catalyst 2960 series and below are not able to schedule Call Home events, so you will not get daily updates for these switches.
If you need to send Smart Call Home events from a specific source interface on your switch you will also need:
ip http client source-interface InterfaceName1
If you want to send a Smart Call Home event immediately, issue the following on your switch:
call-home send alert-group inventory
To check if the events were received, issue a search for sourcetype=Cisco:SmartCallHome
Let me know how it goes 🙂 I will make some refinements to the app in the near future to make this work even better.
Unable to display information from the SFP module as Tx power and temperature on Cisco 4948
Call-home got activated.
please help
thank you
Hi Skodovec,
The transceiver power and temperature panels in the dashboard do not require call-home.
You need a DOM compatible SFP and the SFP temp/power has to go above or below its threshold value before you see anything in this dashboard.
You will see a graph in those panels if you receive an event with
sourcetype=cisco:ios facility=SFF8472 mnemonic=THRESHOLD_VIOLATION
There are a few examples here: https://supportforums.cisco.com/discussion/11558006/cat-4500-showing-error-sff8472-5-thresholdviolat...
The app does not poll the device for any data which means it doesn't display any values if your device hasn't logged them.
Something else you could do is use event neighbor discovery, as part of the Embedded Event Manager (EEM).
http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/command/reference/nm_book/nm_06.html#wp1181238
Sorry I can't elaborate, I haven't used it personally, but apparently you can do quite a bit with it.
Yep, EEM is an option, but not supported on all models. For 3750 at least you need the IP base license. 2960 is a no go.
Hi!
Thanks for your feedback. The best way to thank me is to give the apps a rating on apps.splunk.com 🙂
Currently the app supports receiving data from two sources:
It does not support getting CDP info as this is info you normally need to get through SNMP, however if you have Nexus devices, discovered CDP neighbors are in fact logged as syslog events, but this only happens when they are connected, so you won't get any data from already connected devices. The traditional Catalyst series don't log discovered CDP neighbors.
I am currently working on a Splunk App for Cisco Prime Infrastructure as well, and this will support getting extended device information from devices as well as details about their interfaces, CDP/LLDP neighbors etc. This app will fit together with the Cisco IOS app. It will also support getting the same kind of information from other device types in Cisco Prime Infrastructure such as ASAs.
I do not have an ETA on the Cisco Prime Infrastructure app yet, but you can get some device info from your devices by doing the following:
1.1. Add a new TCP data input on a port of your choice, set sourcetype to Cisco:SmartCallHome
Make sure this input resolves hostnames if your UDP 514 input also resolves hostnames as the hostname/IP is what we use to join the data sources.
service call-home
call-home
contact-email-addr YOUR.EMAIL@ADDR.ESS
site-id "YOUR_SITE_NAME"
profile "Splunk"
destination transport-method http
destination address http http://SPLUNK.SERVER.IP:TCP_PORT_FROM_1.2
subscribe-to-alert-group diagnostic severity debug
subscribe-to-alert-group environment severity debug
subscribe-to-alert-group inventory
You need a fairly recent IOS version for Smart Call Home support. Also note that Catalyst 2960 series and below are not able to schedule Call Home events, so you will not get daily updates for these switches.
If you need to send Smart Call Home events from a specific source interface on your switch you will also need:
ip http client source-interface InterfaceName1
If you want to send a Smart Call Home event immediately, issue the following on your switch:
call-home send alert-group inventory
To check if the events were received, issue a search for sourcetype=Cisco:SmartCallHome
Let me know how it goes 🙂 I will make some refinements to the app in the near future to make this work even better.
Hi @mikaelbje - What if we run "show cdp neighbor" on Cisco network appliance & capture it using scripted inputs. This is what we are doing in Cisco Nexus 9K.
Sure, that works. However a standardized way to capture the format of the scripted inputs needs to be defined if I'd add support for this in the app. Not all users want their Splunk servers to poll their devices.
Any further progress on Cisco Prime? I have a client that has a vary large Prime install base. The current TA when set to sourcetype=cisco:ios doesn't resolve much, while I do get more fields that when set to syslog, I'm grasping at straws on what I should be extracting.
Great to hear that you are working on a Cisco Prime Infrastructure app.