Our networking team has sent us some of their syslog data from Cisco Nexus 7000 switches and Catalyst 6500 switches. I was expecting that I could point this into Splunk for Cisco Security and/or some of the other Splunk for Cisco apps. I'm finding that these apps don't do anything with these events.
The heart of the matter seems to be that the Splunk for Cisco apps all rely on setting sourcetypes either to do field extractions (like srcip and destip) or to use in searches/eventtypes. The sourcetype-setting things I see in the apps (most in the Cisco Firewalls app) set those sourcetypes based on the existence of a string in the event. My problem is that none of those strings exist in the events I have. Therefore no sourcetypes get set beyond what I set myself and the Cisco apps do nothing.
'%' strings that occur in the events I'm looking at are:
The answer here ended up being that the info being loaded were what I believe were called "extended ACL data". That information is not recognized by any of the Cisco apps neither for field extractions nor for any dashboards. We wrote our own field extractions for the data and will eventually create some dashboards.