Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Cisco Switch Data

mcrist3
Explorer
‎12-29-2021 05:18 AM

Hello,

We have multiple Cisco Switches that are configured to send logs to Splunk.  When comparing the logs on the switch and the logs in Splunk, they do not match up.  Splunk does not seem to catch all of the logs, and seems to miss entries in large chunks, and it does not seem to be any single type of entry.   I've searched by the IP of the switch and the information in the log thinking that it might have been mislabeled, but it is not in Splunk at all.

We have our switches set up to log at an informational level.  This is happening across most switches in our environments - not all logs are entering Splunk.   Is this is a known issue?


Thanks!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-29-2021 07:14 AM

How does the data get from the switches to Splunk?  Are they sent via syslog?  Do the events go directly to Splunk or to a syslog server?  Are the sent using TCP or UDP?  Some configurations are more likely to lead to data loss than others.

Another possibility is the data is getting to Splunk, but is onboarded poorly so events cannot be located.

---
If this reply helps you, Karma would be appreciated.
Reply

mcrist3
Explorer
‎12-29-2021 07:42 AM

We have the switches configured to send via Kiwi syslog - the syslog server is also installed on the Splunk server.  We have the Data Inputs in Splunk listening on 514 TCP and UDP, with a source type of syslog.  TCP is also listening on 601 with a source type of cisco_syslog.

 

The switch shows (show logging command):

Syslog logging: enabled

Trap Logging Informational, 245 message lines logged

Logging to <Splunk/KiwiIP> (udp port 514, audit disabled, link up)

...

Logging to <Splunk/KiwiIP> (tcp port 601, audit disabled, link up)

...

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-29-2021 09:53 AM

Sending syslog directly to Splunk is discouraged.  Best Practice is to have the syslog server write the data to disk files and have Splunk monitor those files.  Another option is to use the Splunk Connect for Syslog (SC4S) app.

---
If this reply helps you, Karma would be appreciated.
Reply

mcrist3
Explorer
‎12-29-2021 09:59 AM

Thank you,  I will take a look at our set up and see if we can get this updated.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...