Does Splunk Stream support Cisco's High Speed Logging (HSL) data input via a NetFlow v9 stream? How will Splunk Stream handle Cisco's High Speed Logging (HSL) "extension" to NetFlow v9?
Cisco ISR 4331 routers can not forward standard firewall logging data as syslog output and instead export this type of data as NetFlow template and data records. IS Splunk Stream capable of receiving and interpreting these types of NetFlow records? Is version 7.0.1 of Splunk Stream capable of receiving and correctly interpreting Netflow v.9 High Speed Logging (HSL) flow data generated by Cisco ISR 4331 routers? This use case for NetFlow can also be referred to as template-based or "flexible Netflow".
Thanks.
Splunk Stream v7.0 (https://splunkbase.splunk.com/app/1809/) supports vendor extensions to NetFlow and its a documented feature. However, the configuration details are currently not in the Stream documentation. You should be able to work with your Splunk account team to configure the Cisco extensions within Stream.
@edlarsen - Did one of the answers below help answer your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.
Splunk Stream v7.0 (https://splunkbase.splunk.com/app/1809/) supports vendor extensions to NetFlow and its a documented feature. However, the configuration details are currently not in the Stream documentation. You should be able to work with your Splunk account team to configure the Cisco extensions within Stream.
When I reviewed the latest documentation for Stream, I did take notice that IPFix extensions could be accommodated, but did not see the same statement made about extensions to NetFlow. If this is on fact a supported product capability of Stream v.7.x, it will certainly be one of the options we will want to consider.
Just a quick update: We are currently working to prototype this solution in our lab. More to come.
I want more. Where's the more? 🙂
For those who were waiting for more.... 😉
We did move beyond the lab prototyping phase with this solution and now have routers within approximately 90 offices forwarding HSL events into Splunk without issue.
Hi @edlarsen! I'm the PM for Stream, and while we've done some work with HSL in-house, we don't have a standard configuration that we recommend for the HSL vendor extensions.
Is that something you'd be willing to share with the community or directly with the Splunk team?
Stream supports both Netflow v9 and IPFIX vendor extensions custom config. As @tpeveler mentioned, it's currently an advanced/manually implemented config work that requires Professional Services
I am with NetFlow Logic. We are a Splunk partner and do support HSL, if that's needed. You can find out more information about us by searching for 'HSL' in Splunkbase or reach out to me directly.
I don't have much experience with HSL, but it appears to be an extension to the standard Netflow v9 protocol. Stream currently has limited capabilities to implement custom field mapping that requires Professional Services engagement, so I'd suggest talking to your account team about that.