Cisco Networks App for Splunk Enterprise
Overview
Details
Install this App on your search head. Install the Cisco Networks Add-on (TA-cisco_ios) on your search head AND indexers/heavy forwarders.
Supported Cisco Devices:
* Cisco Catalyst series switches (2960, 3650, 3750, 4500, 6500, 6800, 7600 etc.)
* Cisco ASR - Aggregation Services Routers (900, 1000, 5000, 9000 etc.)
* Cisco ISR - Integrated Services Routers (800, 1900, 2900, 3900, 4451 etc.)
* Cisco Nexus Data Center switches (1000V, 2000, 3000, 4000, 5000, 6000, 7000, 9000 etc.)
* Cisco Carrier Routing System
* Other Cisco IOS based devices (Metro Ethernet, Industrial Ethernet, Blade Switches, Connected Grid etc.)
* Cisco WLC - WLAN Controller
The Cisco Networks App includes dashboards, data models and logic for analyzing data from Cisco IOS, IOS XE, IOS XR and NX-OS devices using Splunk® Enterprise.
Please post a question on Splunk Answers and tag it with "Cisco Networks" if there is anything you would like to see in this app.
Application Details
Sourcetype(s): cisco:ios
Supported Technologies: Cisco IOS, IOS-XE, NX-OS, IOS XR devices, WLC
Supported Splunk versions: 6.1+
Installation Instructions
The Cisco Networks app can be downloaded, installed, and configured to receive Cisco IOS and WLC data by either using the Splunk app setup screen or by manually installing and configuring the app.
This app reads from the sourcetype cisco:ios defined in TA-cisco_ios
Setup and configuration
1. Install in $SPLUNK_HOME/etc/apps/cisco_ios
2. Restart Splunk
3. See the Help page in the app
Getting Help
- Consult Splunk Answers
- Contact the author: mikael@bjerkeland.com
Release Notes
Version 2.5.5
##### Fixed issues
Version 2.5.5 of the Cisco Networks app fixes the following issues:
- Overview dashboard not showing due to bug with index filter
Version 2.5.4
##### New features
Cisco Networks includes the following new features:
- Multi tenancy support (COMMERCIAL USERS ONLY)
- Real-time dashboard added. You now have the option to switch between real-time and historical mode
##### Removed features
- SMART CALL HOME IS REMOVED ENTIRELY. If you require Inventory information, please get a NMS such as Cisco Prime Infrastructure.
##### Fixed issues
Version 2.5.4 of the Cicso Networks app fixes the following issues:
- Various small fixes removing deprecated features
##### Known issues
Version 2.5.4 of the Cisco Networks app has the following known issues:
- Unable to return raw events in Splunk Enterprise 6.3.0 using searches such as sourcetype=cisco:ios unless in Fast Mode. This is due to a bug in Splunk Enterprise 6.3.0 and the Vendor Message Lookup CSV file. Workarounds (choose one):
- Upgrade your servers to Splunk Enterprise 6.3.1 or higher
- Rename TA-cisco_ios/default/limits.conf.example as TA-cisco_ios/default/limits.conf your Search Head and Index
Version 2.5.3
##### New features
Cisco Networks includes the following new features:
- Multi tenancy support (COMMERCIAL USERS ONLY)
- Real-time dashboard added. You now have the option to switch between real-time and historical mode
##### Removed features
- SMART CALL HOME IS REMOVED ENTIRELY. If you require Inventory information, please get a NMS such as Cisco Prime Infrastructure.
##### Fixed issues
Version 2.5.3 of the Cicso Networks app fixes the following issues:
- Various small fixes removing deprecated features
Version 2.5.2
##### New features
Cisco Networks includes the following new features:
- Multi tenancy support (COMMERCIAL USERS ONLY)
- Real-time dashboard added. You now have the option to switch between real-time and historical mode
##### Removed features
- SMART CALL HOME IS REMOVED ENTIRELY. If you require Inventory information, please get a NMS such as Cisco Prime Infrastructure.
##### Fixed issues
Version 2.5.2 of the Cicso Networks app fixes the following issues:
- Various small fixes removing deprecated features
Version 2.5.1
##### New features
Cisco Networks includes the following new features:
- Multi tenancy support (COMMERCIAL USERS ONLY)
- Real-time dashboard added. You now have the option to switch between real-time and historical mode
##### Removed features
- SMART CALL HOME IS REMOVED ENTIRELY. If you require Inventory information, please get a NMS such as Cisco Prime Infrastructure.
##### Fixed issues
Version 2.5.1 of the Cicso Networks app fixes the following issues:
- Various small fixes removing deprecated features
Version 2.5.0
##### New features
Cisco Networks includes the following new features:
- Multi tenancy support (COMMERCIAL USERS ONLY)
- Real-time dashboard added. You now have the option to switch between real-time and historical mode
##### Removed features
- SMART CALL HOME IS REMOVED ENTIRELY. If you require Inventory information, please get a NMS such as Cisco Prime Infrastructure.
##### Fixed issues
Version 2.5.0 of the Cicso Networks app fixes the following issues:
- Various small fixes removing deprecated features
Version 2.3.4
##### New features
Cisco Networks includes the following new features:
- App certification
##### Fixed issues
Version 2.3.4 of the Cicso Networks app fixes the following issues:
- A few facility lookups were broken in cisco_ios_messages.csv
- Diagnostic messages panel in overview page now displays vendor_message_text instead of message_text. This hides the actual raw event, but prevents actual duplicate events from the same host cluttering the dashboard
- Other CSV file fixes
##### Known issues
Version 2.3.4 of the Cisco Networks app has the following known issues:
- Unable to return raw events in Splunk Enterprise 6.3.0 using searches such as sourcetype=cisco:ios unless in Fast Mode. This is due to a bug in Splunk Enterprise 6.3.0 and the Vendor Message Lookup CSV file. Workarounds (choose one):
- Upgrade your servers to Splunk Enterprise 6.3.1 or higher
- Rename TA-cisco_ios/default/limits.conf.example as TA-cisco_ios/default/limits.conf your Search Head and Indexers
Version 2.3.3
##### New features
Cisco Networks includes the following new features:
-
##### Fixed issues
Version 2.3.3 of the Cicso Networks app fixes the following issues:
- A few facility lookups were broken in cisco_ios_messages.csv
- Diagnostic messages panel in overview page now displays vendor_message_text instead of message_text. This hides the actual raw event, but prevents actual duplicate events from the same host cluttering the dashboard
- Other CSV file fixes
##### Known issues
Version 2.3.3 of the Cisco Networks app has the following known issues:
- Unable to return raw events in Splunk Enterprise 6.3.0 using searches such as sourcetype=cisco:ios unless in Fast Mode. This is due to a bug in Splunk Enterprise 6.3.0 and the Vendor Message Lookup CSV file. Workarounds (choose one):
- Upgrade your servers to Splunk Enterprise 6.3.1 or higher
- Rename TA-cisco_ios/default/limits.conf.example as TA-cisco_ios/default/limits.conf your Search Head and Indexers
Version 2.3.2
##### New features
Cisco Networks includes the following new features:
- Added some more panels to the Security -> ACL dashboard
##### Fixed issues
Version 2.3.2 of the Cicso Networks app fixes the following issues:
- Documentation for certification
##### Known issues
Version 2.3.2 of the Cisco Networks app has the following known issues:
- Unable to return raw events in Splunk Enterprise 6.3.0 using searches such as sourcetype=cisco:ios unless in Fast Mode. This is due to a bug in Splunk Enterprise 6.3.0 and the Vendor Message Lookup CSV file. Workarounds (choose one):
- Upgrade your servers to Splunk Enterprise 6.3.1 or higher
- Rename TA-cisco_ios/default/limits.conf.example as TA-cisco_ios/default/limits.conf your Search Head and Indexers
Version 2.3.0
##### New features
Cisco Networks includes the following new features:
- Route flapping table added to the Routing Dashboard
- AP logging now supported
- Security ACL now does a sum of packets instead of counting rows
##### Fixed issues
Version 2.3.0 of the Cicso Networks app fixes the following issues:
- Change management transactions now resorts to using _time if event_id is missing.
- Changed result field for authentication events to vendor_action for CIM compliance. Also changed in the TA
- All searches now use eventtypes instead of sourcetype=cisco:ios
##### Known issues
Version 2.3.0 of the Cisco Networks app has the following known issues:
- Unable to return raw events in Splunk Enterprise 6.3 using searches such as sourcetype=cisco:ios unless in Fast Mode. This is due to a bug in Splunk Enterprise 6.3 and the Vendor Message Lookup CSV file. Workaround: Rename TA-cisco_ios/default/limits.conf.spec as TA-cisco_ios/default/limits.conf your Search Head and Indexers
Version 2.2.1
##### New features
Cisco Networks includes the following new features:
- Added WLC/IOS toggle to the overview page. UPDATE YOUR Cisco Networks Add-on too!
Version 2.2.0
##### New features
Cisco Networks includes the following new features:
- Added facility category lookup file based on http://www.cisco.com/c/en/us/td/docs/ios/15_0sy/system/messages/15sysmg/sm15syovr.html
- Added variable name lookup file (not in use yet)
- Better documentation
##### Fixed issues
Version 2.2.0 of the Cicso Networks app fixes the following issues:
- Fixed static search on one single device for Smart Call Home events in the Device view
- Removed unused searches
- Wireless view corrected to get MAC addresses correctly output
- Improvements to get the app Splunk Certified
##### Known issues
Version 2.2.0 of the Cisco Networks app has the following known issues:
- None known
Version 2.1.1
+++ 2.1.1 (2014-12-05)
Bug fixes:
* Time picker for Auditing Time Drift + CDP neigbors fixed (it was explicit)
Version 2.1.0
++ What's New
+++ 2.1.0 (2014-10-30)
Features:
* NAME CHANGED TO Cisco Networks. Also download the latest TA-cisco_ios!
* More filters in the dashboards
* DOT1X now with more graphs
Version 2.0.0
++ What's New
+++ 2.0.0 (2014-09-19)
Features:
* CIM 4.0 Compliance. MANY fields have changed names. You may need to change your custom searches
* Lots of new features. Dashboards have been fixed up, drilldowns enhanced, more Smart Call Home support
MAKE SURE YOU REMOVE EARLIER VERSIONS OF THE CISCO IOS APP BEFORE INSTALLING THIS VERSION!
Version 1.6.0
++ What's New
+++ 1.6.0 (2014-07-21)
Features:
* Device/s dashboard changed. Includes data collected with Smart Call Home.
Bug fixes:
* Routing dashboard no longer auto refreshes
* Drilldown now works better in the Event Analysis!
* CSV file moved out of the TA to the main app
Version 1.5.0
++ What's New
+++ 1.5.0 (2014-05-08)
Features:
* Added more fields to the data model
* Added an Event Analysis Dashboard to Auditing using the new lookups from TA-cisco_ios.
* Auditing -> Best Practice Deviations has been removed
* Map visualizations added to Security -> ACL
Version 1.3.2
++ What's New
+++ 1.3.2 (2014-04-23)
Added a new overview page (overview_postprocess_searches_no_pivot)
as a workaround for users having problems with Data Model powered
searches not displaying (Splunk defect SPL-83310) - THIS IS SLOW!
Bug fixes:
* Removed some unneccessary files.
* Moved Performance panels into a common performance_dashboard
Features:
* Preliminary support for IP SLA events (Performance dashboard)
* Optical transceiver attenuation monitoring (Switching -> Dashboard)
Version 1.3.1
++ What's New
+++ 1.3.1 (2014-04-17)
Bug fixes:
* 802.1x euthentications now renamed to 802.1x events, no longer a child of "User"
* Various small changes
Version 1.3.0
+++ 1.3.0 (2014-04-04)
Features:
* Now relies on Splunk 6! Data models are in use
Bug fixes:
* Device dashboard now fixed
Version 1.2.1
+++ 1.2.1 (2014-02-17)
Features: Started work on a new Device dashboard
+++ 1.2.0 (2014-01-09)
Features:
* Moved props, transforms etc to the TA.
YOU NOW NEED THE TA ON YOUR SEARCH HEAD ALONGSIDE THE APP!
+++ 1.1.6 (2013-10-10)
Features:
* Started creating Data Models for Splunk 6.0
Bug fixes:
* Top ACL logs now counts num_packets
Version 1.1.5
+++ 1.1.5 (2013-09-20)
Features:
* IOS XR support
Version 1.1.3
+++ 1.1.3 (2013-08-12)
Bug fixes:
* Fixed bug that also captured events that were in the body of ACS events
* Now captures events from switches with a subfacility
+++ 1.1.2 (2013-07-22)
Features:
* Added wireless - more to come
Version 1.1.1
+++ 1.1.1 (2013-05-27)
Features:
* Add a reliable_time=true/false based on presence of *:
* More CIM compliance
* Fixed ACL logging for log-input
+++ 1.1.0 (2013-05-16)
Features:
* Smart Install view added to Auditing
* Added FHRP to Switching (no extractions yet)
+++ 1.0.9 (2013-04-26)
Features:
* Moved a few things around
* Etherchannel added to performance
Version 1.0.8
+++ 1.0.8 (2013-04-23)
Features:
* Added Switching nav
* Added Security nav
* Added extractions for DOT1X - this will be getting transaction tracking soon
Bug fixes:
* Fixed general extraction to handle integers in facility and mnmenonic
+++ 1.0.7 (2013-04-17)
Features:
* Regex support for WLC
* Added stack manager
+++ 1.0.6 (2013-04-12)
Features:
* Now extracts login successes and failures
Version 1.0.5
+++ 1.0.5 (2013-04-05)
Features:
* Added device restart/boot table to Auditing dashboard. Thanks jaoui
+++ 1.0.4 (2013-04-04)
Bug fixes:
* Fixed subfacility extraction
+++ 1.0.3 (2013-03-28)
Bug fixes:
* Minor under the hood improvements
+++ 1.0.2 (2013-03-26)
Features:
* More extractions added, not yet in any views
Bug fixes:
* device_time extraction has been re-worked a bit to avoid pulling in the wrong values
+++ 1.0.1 (2013-03-25)
Bug fixes:
* Better time matching in place for the time drift view. Now matches numerous formats and is fast, but shows all results
Version 1.0.0
The Cisco IOS app can be downloaded, installed, and configured to receive Cisco IOS data by either using the Splunk app setup screen or by manually installing and configuring the app.
This app reads from the sourcetype cisco_ios defined in TA-cisco_ios
1.0.0 (2013-03-21)
Features:
* The app has been split up into two parts, one App for the search head and a
TA for indexers (TA-cisco_ios)
* Added BGP, EIGRP and MPLS LDP extractions
* Added time drift in Auditing
Currently requires the device time to be in this format Mar 21 19:29:47.320 CET or Mar 21 19:29:47.320
The search is quite slow
* Added tags
* Added time picker for each view
* Host search added for config change transactions
0.1.7 (2013-03-05)
Features:
* OSPF adjacency change regex added: adjchg
* OSPF adjacency change panel added to Routing -> Dashboard
* CDP neighbor add/remove eventtypes and extractions for Nexus switches added
* CDP neighborhood panel for Nexus switches added to Datacenter -> Dashboard
* Added all events to index "ios"
Bug fixes:
* Interface matching fixed, didn't capture multi slot/chassis interfaces
* CIM compliance for src_ip, src_vlan and dest_vlan