I'm a Splunk Newbie. Last night while troubleshooting a network loop I was advised by Cisco support to set up a logging server and to have all our switches dump their logs to this server on a regular basis. Without doing much looking, Splunk came to mind as it is often brought up on a tech podcast I listen to. Fast forward to now, I've installed Splunk on a Windows Server 2008R2 instance and added the Cisco apps, now I'm not really sure how to get the switches sending their logs to the server. Are there any good walk-throughs out there I could follow?
i dont remember from the top of my head the exact setting but quick search in your favorite search engine probably will get you results of how to enable logging on your switch. you will also want to open port and point the data to your windows splunk ip or fqdn at the port.
from splunk perspective, open port (enable listening) to the port your switch will send data through. many times it will default to udp 514
hope it helps
Cisco's IOS products support syslog as the network protocol over which logs are sent. There's 2 parts to the answer:
1) Configuring the IOS devices to send their logs. Refer to the Cisco documentation relevant to your devices for details. Generally, it's a matter of defining the syslog destination and the log level. An example may look something like this:
service timestamps log datetime
service timestamps debug datetime
logging trap 5
169.254.123.234 is your syslog server, and you're capturing
NOTICE or higher log messages.
2) Configure a syslog server. Here, you have 2 choices:
.......(1) Install and configure a stand-alone syslog server (such as rsyslog, syslog-ng, or Kiwi). Your Cisco devices will sed their logs to this syslog server, which writes the files down to disk. A Splunk Universal Forwarder can grab the files from there. http://docs.splunk.com/Documentation/Splunk/6.6.1/Data/Monitorfilesanddirectories provides some decent insight on general file and directory monitoring. There are a few other Answers posts you may reference on this topic.
.......(2) Configure Splunk to listen for syslog. You can configure a standard UDP input on port 514 for this (Splunk natively can listen for syslog). There's some great documentation on configuring this at http://docs.splunk.com/Documentation/Splunk/6.6.1/Data/Monitornetworkports and
We generally recommend that customers use a syslog server, as it provides a framework for handling heterogenous sourcetypes without a lot of effort. For relatively simple environments (limited sourcetypes), the syslog input is Ok, too.
Best of luck in your endeavours!
Add a Data Input in Splunk through Settings - Data Inputs. Click UDP and type in port 514.
See the Help page of the Cisco Networks app for the specific settings for your switches.
You need both the Cisco Networks App as well as the Cisco Networks Add-on