Archive
Highlighted

Cisco Security apps not doing anything with my Cisco log data

Builder

Our networking team has sent us some of their syslog data from Cisco Nexus 7000 switches and Catalyst 6500 switches. I was expecting that I could point this into Splunk for Cisco Security and/or some of the other Splunk for Cisco apps. I'm finding that these apps don't do anything with these events.

The heart of the matter seems to be that the Splunk for Cisco apps all rely on setting sourcetypes either to do field extractions (like srcip and destip) or to use in searches/eventtypes. The sourcetype-setting things I see in the apps (most in the Cisco Firewalls app) set those sourcetypes based on the existence of a string in the event. My problem is that none of those strings exist in the events I have. Therefore no sourcetypes get set beyond what I set myself and the Cisco apps do nothing.

'%' strings that occur in the events I'm looking at are:

%AFLSEC-6-OALDP
%SEC-6-IPACCESSLOGP
%ACLLOG-6-ACLLOGFLOWINTERVAL
%SIBYTE-SW1DFC9-4-SBEXCESS_COLL

for instance. I don't believe any of these uniquely identify the device, but from what I can see, they're definitely security-related messages so I would think they'd be appropriate for the apps.

I'm trying to figure out how/if I can make the Splunk for Cisco apps useful for these events if possible.

Am I doing something wrong?

Thanks

Highlighted

Re: Cisco Security apps not doing anything with my Cisco log data

Builder

The answer here ended up being that the info being loaded were what I believe were called "extended ACL data". That information is not recognized by any of the Cisco apps neither for field extractions nor for any dashboards. We wrote our own field extractions for the data and will eventually create some dashboards.

FYI.

View solution in original post