I have installed CISCO IOS/TA and forwarded data from cisco to suplunk server, created udp input for port 514 but still don't see any data coming in ?
looks like i need to configure this apps bit more to get it working. does anyone has any idea how to go about it ?
https://splunkbase.splunk.com/app/1467/#/details
Installation
Step 1: App installation
Install the Cisco Networks (cisco_ios) App on your search head
Install the Cisco Networks Add-on (TA-cisco_ios) on your search head AND indexers/heavy forwarders
Syslog input: Enable a UDP input with a custom port number on your Splunk forwarder or Splunk indexer. Set the sourcetype to cisco:ios or syslog
Smart Call Home input: Enable a TCP input with a custom port number on your Splunk forwarder or Splunk indexer. Set the sourcetype to Cisco:SmartCallHome
Step 2: Configure your Cisco devices
Cisco IOS
This includes all IOS variants. Not all commands are supported on all models
Basic logging and timestamping
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service sequence-numbers
logging trap informational
logging host [YOUR SYSLOG/SPLUNK SERVER IP] transport udp port [YOUR UDP PORT]
Enable change auditing
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
!
login on-failure log
login on-success log
logging userinfo
!
Monitor interface changes
General
logging event trunk-status global
logging event link-status global
Interface level
logging event trunk-status
logging event spanning-tree
logging event status
MAC move notifications, STP logging, IP SLA logging etc.
mac address-table notification mac-move
spanning-tree logging
ip sla logging traps
ip dhcp limit lease log
ip dhcp conflict logging
ip nat log translations syslog
xconnect logging pseudowire status
ntp logging
epm logging
For DHCP utilization logging on your devices, do this for each pool
utilization mark high 80 log
For ARP threshold logging, do this on your SVIs and IP interfaces
arp log threshold entries 2048
TrustSec
If you are using Cisco TrustSec, add the following
cts sxp log binding-changes
cts logging verbose
ACL logging
General
Remember to add the log or log-input keyword to your access list entries if you want to enable access list logging
Access list correlation tags
ip access-list logging hash-generation
CPU and Memory Utilization logging
This generates CPU and memory notifications. CPU notifications if the CPU has been over 80% for more than 5 seconds. Memory if there is less than 20000KB.
process cpu threshold type total rising 80 interval 5
memory free low-watermark processor 20000
memory free low-watermark io 20000
Smart Call Home logging
Enabling Smart Call home allows you to get extended device information from your devices at specific intervals
ip http client source-interface [SOURCE INTERFACE]
!
service call-home
call-home
contact-email-addr [YOUR.EMAIL@ADDR.ESS]
site-id ["YOUR_SITE_NAME"]
profile "Splunk"
destination transport-method http
destination address http http://[YOUR SYSLOG/SPLUNK SERVER IP]:[YOUR SMART CALL HOME TCP PORT]
subscribe-to-alert-group diagnostic severity debug
subscribe-to-alert-group environment severity debug
subscribe-to-alert-group inventory
subscribe-to-alert-group inventory periodic daily 22:30
!
NX-OS
This includes all NX-OS variants. Not all commands are supported on all models
Basic logging and timestamping
logging logfile messages 6
logging server [YOUR SYSLOG/SPLUNK SERVER IP] 6 use-vrf [YOUR MGMT VRF]
logging timestamp milliseconds
logging monitor 6
Enable change auditing
This feature is not supported on the NX-OS platform
Monitor interface changes
General
logging message interface type ethernet description
logging event link-status default
logging event trunk-status default
Interface level
logging event port link-status
logging event port trunk-status
MAC move notifications, STP logging, IP SLA logging etc.
mac address-table notification mac-move
ntp logging
ACL logging
General
Remember to add the log or log-input keyword to your access list entries if you want to enable access list logging
NX-OS ACL logging
logging level acllog 6
acllog match-log-level 6
logging logfile messages 6
Smart Call Home logging
Enabling Smart Call home allows you to get extended device information from your devices at specific intervals
callhome
site-id ["YOUR_SITE_NAME"]
email-contact [YOUR.EMAIL@ADDR.ESS]
phone-contact [YOUR PHONE NUMBER]
streetaddress S01
destination-profile Splunk
destination-profile Splunk format XML
destination-profile Splunk transport-method http
destination-profile Splunk http http://[YOUR SYSLOG/SPLUNK SERVER IP]:[YOUR SMART CALL HOME TCP PORT]
destination-profile Splunk alert-group Diagnostic
destination-profile Splunk alert-group EEM
destination-profile Splunk alert-group environmental
destination-profile Splunk alert-group inventory
destination-profile Splunk alert-group license
destination-profile Splunk alert-group linecard-hardware
destination-profile Splunk alert-group supervisor-hardware
destination-profile Splunk alert-group system
destination-profile Splunk alert-group test
transport http use-vrf [YOUR MGMT VRF]
enable
periodic-inventory notification interval 1
periodic-inventory notification timeofday 22:30
What sourcetype did you give your new UDP input?
It needs to be set to one of the following:
Please also provide a sample of one of your log lines. Search it up in Splunk.
If you don't see the event at all regardless of sourcetype you have an issue with your input, not the app.
Hi,
the error you are reporting does not look like an indication of a problem with the app, but an issue with your Splunk install. I suggest you create necessary diag files and open a case with Splunk support.
This is what I have done :
- created UDP input of sourcetype "syslog" for cisco device.
- installed CISCO-IOS app and TA
I am getting the following error in splunk log :
Unable to fetch datamodelreport REST endpoint '/servicesNS/admin/cisco_ios/datamodel/pivot/Cisco_IOS_Event' from 'https://127.0.0.1:8089'
Socket error while accessing servicesNS/admins/cisco_ios/datamodel/pivot/Cisco_IOS_Event: Winsock error 10053
I do agree with you that it has to do with input but don't know what/where?. even if I take out the apps from the scope and try to just ingest the data from switch I can't.