Re: Cisco Config files

skibum · ‎06-12-2010

Looking to use splunk to compare my cisco router configuration files? Since it does not seem I can use the forwarder for changes, what are my options?

mikaelbje · ‎05-09-2014

This is a planned feature for the Cisco IOS app. In the meantime you can do the following:

On your Cisco device:

archive
 path ftp://USER:PASSWORD@YOUR.FTP.SERVER/cisco_backups/$h
 write-memory
 log config
  logging enable
  logging size 200
  notify syslog contenttype plaintext
  hidekeys
!

An example Splunk input on your forwarder + FTP server:

[monitor:///ftproot/cisco_backups/*]
sourcetype = Cisco:IOS:Configuration
disabled = false

Make sure you have the Technology Add-on for Cisco IOS installed on your indexer/forwarder as it defines the Cisco:IOS:Configuration sourcetype stanza.

You can then use the built-in Splunk "diff" command to compare two versions

dwaddle · ‎06-15-2010

Comparing configuration files for network devices really isn't Splunk's strong suit. Splunk is designed to store, index, and search on mostly unstructured or semi-structured data.

You might consider something like RANCID http://www.shrubbery.net/rancid/ and integrating it into Splunk. RANCID does the job of logging into routers on a schedule and downloading configurations and other information, and comparing it to the last time RANCID was run. The results of RANCID's comparisons could easily be pushed into Splunk as log events and searched upon that way.

Cisco Config files

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation