All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cisco Security apps not doing anything with my Cisco log data

mfrost8
Builder
‎06-13-2011 02:16 PM

Our networking team has sent us some of their syslog data from Cisco Nexus 7000 switches and Catalyst 6500 switches. I was expecting that I could point this into Splunk for Cisco Security and/or some of the other Splunk for Cisco apps. I'm finding that these apps don't do anything with these events.

The heart of the matter seems to be that the Splunk for Cisco apps all rely on setting sourcetypes either to do field extractions (like src_ip and dest_ip) or to use in searches/eventtypes. The sourcetype-setting things I see in the apps (most in the Cisco Firewalls app) set those sourcetypes based on the existence of a string in the event. My problem is that none of those strings exist in the events I have. Therefore no sourcetypes get set beyond what I set myself and the Cisco apps do nothing.

'%' strings that occur in the events I'm looking at are:

%AFLSEC-6-OALDP
%SEC-6-IPACCESSLOGP
%ACLLOG-6-ACLLOG_FLOW_INTERVAL
%SIBYTE-SW1_DFC9-4-SB_EXCESS_COLL

for instance. I don't believe any of these uniquely identify the device, but from what I can see, they're definitely security-related messages so I would think they'd be appropriate for the apps.

I'm trying to figure out how/if I can make the Splunk for Cisco apps useful for these events if possible.

Am I doing something wrong?

Thanks

Reply
1 Solution
Solved! Jump to solution
Solution

mfrost8
Builder
‎08-25-2011 09:23 AM

The answer here ended up being that the info being loaded were what I believe were called "extended ACL data". That information is not recognized by any of the Cisco apps neither for field extractions nor for any dashboards. We wrote our own field extractions for the data and will eventually create some dashboards.

FYI.

View solution in original post

Reply
Solved! Jump to solution
Solution

mfrost8
Builder
‎08-25-2011 09:23 AM

The answer here ended up being that the info being loaded were what I believe were called "extended ACL data". That information is not recognized by any of the Cisco apps neither for field extractions nor for any dashboards. We wrote our own field extractions for the data and will eventually create some dashboards.

FYI.

Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...