Splunk Enterprise Security

Cisco ACI Add-on for Splunk Enterprise: What CIM Module data sets does are in compliance for each sourcetype?

guarisma
Contributor

The Cisco ACI Add-on for Splunk Enterprise provides these source types:

cisco:apic:health
cisco:apic:stats
cisco:apic:class
cisco:apic:authentication

And is Common Information Model (CIM) 4.5, 4.4, 4.3, 4.2, 4.1 compliant.

I would like to know what CIM Datasets are in compliant for each source type?

I'm working with Splunk Enterprise Security and which to know what value can Cisco ACI Add-on for Splunk Enterprise can bring to it.

0 Karma
1 Solution

guarisma
Contributor

From: "Nilay Shah -X (nilaysh - MBO PARTNERS INC at Cisco)"
Date: Thursday, January 26, 2017 at 11:32 AM
To: Igor Guarisma
Cc: "aci-splunk-app(mailer list)"
Subject: Re: What CIM Data Model data sets does each source type of the Cisco ACI Add-on compliant?

Hi Igor,

What you mentioned is correct! The sourcetype cisco:apic:authentication is compliant with CIM data models you listed out. All other sourcetypes/data models are custom built but follow the CIM guidelines for field names, field extractions, aliases, etc.

Additionally,

Source type | Description | CIM data model(s)
cisco:apic:health | Health scores of all entities in the fabric | Custom
cisco:apic:stats | Statistical data on packet flows, network communication, etc | Custom
cisco:apic:class | Class info such as Tenants, EPGs, BD's etc. | Custom
cisco:apic:authentication | Audit & access logs | Authentication, Network Session

I hope this information helps you decide on using Cisco ACI add-on for Enterprise Security app.
Let me know if you have any further questions.

Best Regards,
Nilay Shah.

View solution in original post

guarisma
Contributor

From: "Nilay Shah -X (nilaysh - MBO PARTNERS INC at Cisco)"
Date: Thursday, January 26, 2017 at 11:32 AM
To: Igor Guarisma
Cc: "aci-splunk-app(mailer list)"
Subject: Re: What CIM Data Model data sets does each source type of the Cisco ACI Add-on compliant?

Hi Igor,

What you mentioned is correct! The sourcetype cisco:apic:authentication is compliant with CIM data models you listed out. All other sourcetypes/data models are custom built but follow the CIM guidelines for field names, field extractions, aliases, etc.

Additionally,

Source type | Description | CIM data model(s)
cisco:apic:health | Health scores of all entities in the fabric | Custom
cisco:apic:stats | Statistical data on packet flows, network communication, etc | Custom
cisco:apic:class | Class info such as Tenants, EPGs, BD's etc. | Custom
cisco:apic:authentication | Audit & access logs | Authentication, Network Session

I hope this information helps you decide on using Cisco ACI add-on for Enterprise Security app.
Let me know if you have any further questions.

Best Regards,
Nilay Shah.

rpille_splunk
Splunk Employee
Splunk Employee

Hi Guarisma,

That add-on is provided by Cisco, so they're the ones providing the docs for it. The contact information for questions and support is in the Splunkbase details tab, at the bottom: https://splunkbase.splunk.com/app/1897/#/details

You can also probably infer the model mapping my examining the add-on's tags.conf and eventtypes.conf files and comparing the tags you see there to the CIM documentation.

Hope that helps!

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...