- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Why would the source type cisco:ios not be getting...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
complete Splunk noob
Just installed a fresh splunk-6.2.1-245427-x64-release on a Win2012 GUI box and installed:
Cisco Networks (cisco_ios) 2.1.1
Cisco Networks Add-on (TA-cisco_ios) 2.1.0
When I try to configure as per the instructions:
Syslog input: Enable a UDP input with a custom port number on your Splunk forwarder or Splunk indexer. Set the sourcetype to cisco:ios or syslog
I dont get the cisco:ios option as a source type; the only cisco item is cisco:asa
Any ideas why this would happen and how to resolve it?
Cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you do this through the web interface of your Splunk Enterprise instance then choose custom sourcetype and then add the string cisco:ios in the input field. Leave source as it is, only modify the sourcetype.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you do this through the web interface of your Splunk Enterprise instance then choose custom sourcetype and then add the string cisco:ios in the input field. Leave source as it is, only modify the sourcetype.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, I did do that but wasn't sure if it would work. Haven't been able to get any data from the switches yet and thought that might be a cause.
Thanks for the info guys 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're still not getting any data, check if Splunk is actually listening on the port that you chose with "netstat -an | findstr PORTNUMBER" in the Windows command line.
The next step would be to check your Windows firewall, then any other firewalls in the network.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think he means in the inputs on your forwarder set the sourcetype to cisco:ios.
ie. in your inputs.conf on your uf.
[udp://somelisteningport]
disabled = 0
index = cisco
sourcetype = cisco:ios
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But I'm not using a forwarder, single server instance.
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
Detecting Remote Code Executions With the Splunk Threat Research Team
