For more information about this solution refer to the Cisco Endpoint Security Analytics for Splunk (CESA) home page.
Cisco AnyConnect Network Visibility Module (NVM) App for Splunk consists of 3 components:
• The Splunk App with pre-designed Dashboards to visualize and view the data.
• The Splunk Add-on which provides data indexing and formatting inside Splunk Enterprise.
• The NVM Collector Component which is responsible for collecting and translating all IPFIX (nvzFlow) data from the endpoints and forwarding it to the Splunk Add-on. This is a manually installed component that requires 64-bit Linux (see NVM COLLECTOR COMPONENT INSTALLATION section for more information).
Please restart the Spunk Server after installation is completed.
After completing this step, refer to the NVM collector installation section below. The collector must be running before data will be available to the Splunk components.
The default configuration receives three data feeds for Splunk, Per Flow Data, Endpoint Identity Data and Endpoint Interface Data, on UDP ports 20519, 20520 and 20521 respectively. This can be changed in the Application Input settings in Splunk if for some reason you needed to change the collector configuration as described below.
The Add-On maps these to Splunk sourcetypes cisco:nvm:flowdata, cisco:nvm:sysdata and cisco:nvm:ifdata.
The NVM collector runs on 64-bit Linux. CentOS, Ubuntu and Docker configuration scripts are included. The CentOS install scripts and configuration files can also be used in Fedora and Redhat distributions as well.
In a typical distrubuted Splunk Enterprise deployment, the collector should be run on either a standalone 64-bit Linux system or a Splunk Forwarder node running on 64-bit Linux.
NOTE: The solution can also be run on a single 64-bit Linux system that includes the NVM collector and Splunk Enterprise components for use in a small deployment or for demonstration purposes.
In order to install the collector you will need to copy the application in the acnvmcollector.zip file, located in the $APP_DIR$/appserver/addon/ directory to the system you plan to install it on.
Extract the files on the system where you plan to install the collector on and execute the install.sh script with super user privileges. It is recommended to read the $PLATFORM$_README file in the .zip bundle before executing the install.sh script. The $PLATFORM$_README file provides information on the relevant configuration settings that need to be verified and modified (if necessary) before the install.sh script is executed. At a minimum, you will need to configure the address of the Splunk instance you will be forwarding data to. Failing to properly configure the system can cause the collector to operate incorrectly.
NOTE: Ensure that network and host firewalls are properly configured to allow the UDP traffic for the source and destination addresses and ports
A single NVM collector instance can handle a minimum of 5000 flows per second on a properly sized system.
The collector needs to be configured and running before the Splunk App can be used.
By default, the collector receives flows from AnyConnect NVM endpoints on UDP port 2055.
Additionally, the collector produces three data feeds for Splunk, Per Flow Data, Endpoint Identity Data and Endpoint Interface Data, on UDP ports 20519, 20520 and 20521 respectively.
The receive and data feed ports can be changed by altering the acnvm.conf file and restarting the collector instance. Make sure that any host/network firewalls between endpoints and the collector or between the collector and Splunk system(s) are open for the configured UDP ports and addresses. Also ensure that your AnyConnect NVM configuration matches your collector configuration. Refer to the AnyConnect Administration Guide for more information.
Once all components are installed and running, refer to the Help files section from within the Splunk application for detailed information about the pre-configured reports, data model and information elements that are created by the solution.
You may want to restart one of your AnyConnect endpoints and validate that data is being sent to the solution.
Some additional information is available at this Cisco Community Site that you might find useful.
Splunk Developers who are interested in learning more about the AnyConnect NVM protocol and overall solution can go to the Cisco DevNet site for more information.
This app is written and maintained by Cisco (nvzFlow at cisco dot com). No official support is available. Be sure to read the above sections for initial assistance with setup and configuration. See Supplemental End User License as well as the Cisco Endpoint Security Analytics for Splunk home page for more information.
Version 2.x supports the new Cisco Endpoint Security Analytics (CESA) for Splunk licensing model.
For more details refer to the CESA homepage at https://www.cisco.com/go/cesa
Fixed a number of configuration issues to improve the application based on customer feedback.
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.