Cisco Catalyst Add-on for Splunk

OVERVIEW

Cisco Catalyst Add-on for Splunk collects data for different Cisco Products - Cisco Identity Services Engine, Cisco Catalyst SD-WAN, Cisco Catalyst Center, and Cisco CyberVision. The add-on parses the data from these sources and stores them into the Splunk indexes.

• Author - Cisco Systems
• Version - 1.1.1
• Build - 1
• Prerequisites - This application is dependent on Splunk Add-on for Stream Forwarders, Splunk App for Stream and Cisco Catalyst Enhanced Netflow Add-on for Splunk to collect Netflow Data.

COMPATIBILITY MATRIX

• Browser: Google Chrome, Mozilla Firefox & Safari
• OS: Linux, macOS, Windows
• Splunk Enterprise Version: Splunk 9.1.x, Splunk 9.2.x, Splunk 9.3.x
• Supported Splunk Deployment: Standalone, Distributed & Cluster
• Splunk Add-on for Stream Forwarders (Third Party Dependency): 8.1.0 & 8.0.2
• Splunk App for Stream (Third Party Dependency): 8.1.0 & 8.0.2
• Cisco Catalyst Enhanced Netflow Add-on for Splunk (Third Party Dependency): 1.0.0

RECOMMENDED SYSTEM CONFIGURATION

• Standard Splunk Enterprise configuration of Search Head, Indexer, and Forwarder.

TOPOLOGY AND SETTING UP SPLUNK ENVIRONMENT

• This app has been distributed in two parts.

  1. Cisco Catalyst Add-on for Splunk, which parses collected Syslog, Modular Input and NetFlow data.
  2. Cisco Enterprise Networking for Splunk Platform, which adds dashboards to visualize Syslog, Modular Input and NetFlow data.

• This app can be set up in two ways:

1) Standalone Mode

• Install the "Cisco Enterprise Networking for Splunk Platform" and "Cisco Catalyst Add-on for Splunk" on a single machine. This single machine would serve as a Search Head + Indexer + Heavy Forwarder for this setup.
• The "Cisco Enterprise Networking for Splunk Platform" uses the data parsed by the "Cisco Catalyst Add-on for Splunk" and builds dashboards on it.

2) Distributed Environment

• Install the "Cisco Enterprise Networking for Splunk Platform" and "Cisco Catalyst Add-on for Splunk" on the search head.
• Install only "Cisco Catalyst Add-on for Splunk" on the heavy forwarder.
• User needs to manually create an index on the Indexer (No need to install "Cisco Enterprise Networking for Splunk Platform" on Indexer).
• Note: Installation of "Cisco Catalyst Add-on for Splunk" on Indexer is required in case of universal forwarder.

INSTALLATION

"Cisco Catalyst Add-On For Splunk" can be installed through : unique name to describe as shown below. Alternatively, .tar or .spl file can also be extracted directly into $SPLUNK_HOME/etc/apps/ directory.

1. Log in to Splunk Web and navigate to Apps > Manage Apps.
2. Click Install the app from file.
3. Click Choose file and select the TA_cisco_catalyst installation file.
4. Click on Upload.
5. Restart Splunk

UPGRADE

General upgrade steps:

• Log in to Splunk Web and navigate to Cisco Catalyst Add-on for Splunk -> Inputs.
• Here disable all configured Inputs.
• Navigate to Apps -> Manage Apps on Splunk menu bar.
• Click Install app from file.
• Click Choose file and select the Cisco Catalyst Add-on for Splunk installation file.
• Check the Upgrade checkbox.
• Click on Upload.
• Restart Splunk.

Upgrade to v1.1.0

• Follow the General upgrade steps section.

CONFIGURATION

Configure Inputs on Splunk for Modular Inputs Data

To add Data Inputs follow the steps below:

For DNA Center

1. Configure a Cisco DNA Center User Account.
2. Configure Data Inputs:
   • Name: Unique name to describe the data input
   • Interval: Time interval to request the data from Cisco DNA Center.
   • Index: Splunk index.
   • Cisco DNA Center Host: The DNA Center's base URL (for example: https://sandboxdnac.cisco.com:443). Use https.
   • Cisco DNA Center user account.
3. Repeat step 1 or 2 for every combination of user account, base URL and data inputs as needed.

For Cyber Vision

1. Configure a Cisco Cyber Vision Account.

   • Account Name: Unique name to describe the user account.
   • IP Address/Domain: IP Address of the Cisco Cyber Vision portal (Use https).
   • API Token: API Token generated from Cyber Vision for the above account.
   • Use Custom CA Certificate: Enable or disable use of Custom CA Certification for this account.
   • Custom CA Certificate: Custom CA Certificate for this account.
   • Enable Proxy: Enable or disable use of Proxy for this account.
   • Proxy Type: Proxy protocol.
   • Proxy URL: Server Address of Proxy Host.
   • Proxy Port: Port to the proxy server.
   • Proxy Username: Username of the proxy server if it exists.
   • Proxy Password: Password of the proxy server if it exists.

2. Configure Data Inputs:

   • Name: Unique name to describe the data input
   • Interval: Time interval to request the data from Cisco Cyber Vision.
   • Index: Splunk index.
   • Cisco Cyber Vision user account.
   • Start Date: Start Time and Date from where data needs to be collected (format: YYYY-MM-DDTHH:MM:SSZ).
3. Repeat step 1 or 2 for every combination of user account, start date and data inputs as needed.

SSL Configuration

1. By default, the API calls from the Cisco Catalyst Add-on for Splunk would be verified by SSL. The configurations are present in $SPLUNK_HOME/etc/apps/TA_cisco_catalyst/default/ta_cisco_catalyst_settings.conf file:
   [additional_parameters] verify_ssl = True
2. In order to make unverified calls, change the SSL verification to False. To do that, navigate to $SPLUNK_HOME/etc/apps/TA_cisco_catalyst/local/ta_cisco_catalyst_settings.conf file and change the verify_ssl parameter value to False under additional_parameters stanza. Create a stanza if its not present already.
3. To add a custom SSL certificate to the certificate chain, use the option available in the user interface while configuring a DNA Center or Cyber Vision account.
4. Restart the Splunk in order for the changes to take effect.

Configure Inputs on Splunk for Syslog Data

The Cisco Catalyst Add-on for Splunk manages inputs through TCP/UDP inputs provided by Splunk. The Add-on collects the syslog data from Cisco SD-WAN, Cisco ISE as well as Cisco Cyber Vision through the TCP/UDP inputs. To configure inputs:

• Login to Splunk WEB UI.
• Navigate to Settings > Data inputs.
• Choose TCP or UDP and click New.
• In the left pane, click TCP / UDP to add an input.
• Click the TCP or UDP button to choose between a TCP or UDP input.
• In the Port field, enter a port number on which you are forwarding the logs from Cisco SD-WAN and Cisco ISE.
  • In order to forward the logs from Cisco Cyber Vision, create another TCP/UDP Port using the same method.
• In the Source name override field, enter a new source name to override the default source value, if necessary.
• Click Next to continue to the Input Settings page.
• Set the sourcetype as cisco:catalyst:syslog for Cisco SD-WAN and Cisco ISE. Set the sourcetype as cisco:cybervision:syslog for Cisco Cyber Vision.
• Set "App" context to Cisco Catalyst Add-on.
• Set the Index that Splunk Enterprise should send data to for this input.
• Click Review.
• Click Submit once you have ensured everything is correct.

Once the input is configured, execute the following query to see if Syslog events are being received.
For Cisco SD-WAN and Cisco ISE:
index=<configured_index> sourcetype IN ("cisco:sdwan*", "cisco:ise:syslog")
For Cisco Cyber Vision:
index=<configured_index> sourcetype="cisco:cybervision:syslog"

Notes

1. For a better user experience, make sure you disable the Cisco ISE, Cisco SD-WAN and Cisco Cyber Vision Add-Ons if you have enabled it in your Splunk environment.
   • To disable the Add-Ons, go to Manage Apps > Search for TA name > Disable.
2. If you have any existing TCP/UDP inputs created for the Cisco ISE, Cisco SD-WAN and Cisco Cyber Vision Add-Ons, ensure that you disable those inputs as well and create a new TCP/UDP input as mentioned above.

Configure Inputs on Splunk for Netflow Data

• Prerequisite to collect Netflow data into Splunk

• Install the following apps in the Splunk instance to collect and parse the NetFlow (v9) data:

  App	Search Head	Heavy Forwarder	Indexer
  Splunk App for Stream	No	Yes	No
  Splunk Add-on for Stream Forwarders	No	Yes	No
  Cisco Catalyst Enhanced Netflow Add-on for Splunk	No	Yes	No

• Make sure that the receiver UDP port (Ex. 4739) is open and bypass the firewall traffic.

Configure Cisco ISE to send logs to Splunk Enterprise for the Splunk Add-on for Cisco ISE

To enable to Splunk Enterprise to receive data from your Cisco ISE remote system logging, complete these steps:

• Create a remote logging target.
• Add the target to the appropriate logging categories.

The following sections provide detailed configuration instructions.

For more information, see the Logging section of the Cisco ISE Administrator Guide provided by Cisco.

Steps to follow

• Once the "Splunk App for Stream", "Splunk Add-on for Stream Forwarders" and "Cisco Catalyst Enhanced Netflow Add-on for Splunk" are installed in the desired Splunk Instance.
• Open "Splunk App for Stream" > Click on "Configuration" > Click on "Configure Streams"
• In the "Search" filter search for the keyword "netflow" and Update the "Mode" to "Disabled".
• In the "Search" filter search for the keyword "cisco_hsl_cisco_hsl_netflow".
• For "cisco_hsl_cisco_hsl_netflow" stream > Goto "Action" > "Edit"
• Update the "Mode" to "Enabled" & select the desired index, by default "main" will be selected.
• Click on Save.
• SSH into the Destination VM example VM: X.X.X.X (should be replaced with the VM in which data is been collected)
• Goto Location: $SPLUNK_HOME/etc/apps/Splunk_TA_stream/local
• Create a "streamfwd.conf" in the "local" folder
• Sample format of 'streamfwd.conf' as below:
  [streamfwd] netflowReceiver.<N>.ip = <ip_address> netflowReceiver.<N>.port = <port_number> netflowReceiver.<N>.decoder = <flow_protocol>
• Below is an example file for the ip x.x.x.x and port 4739:
  [streamfwd] netflowReceiver.0.ip = x.x.x.x netflowReceiver.0.port = 4739 netflowReceiver.0.decoder = netflow
• Save the changes.
• All the NetFlow events will get ingested in the Destination VM: X.X.X.X (should be replaced with the VM in which data is been collected)
• Verify the ingestion of events by using the following query from the "Destination VM: X.X.X.X" (should be replaced with the VM in which data is been collected)
  • index="<desired index name>" sourcetype="stream*"

Note: Refer to the documentation for setting up a new Netflow stream.

Create remote logging target

1. In Cisco ISE, choose Administration > System > Logging > Remote Logging Targets.
2. Click Add.

3. Configure the following fields:

   Field	Value	Description
   Name	Splunk	Target name, also used below in the category
   IP Address	1.1.1.2 (for example)	IP address of the Splunk Enterprise system
   Port	514 (for example)	Port that you are using on the Splunk Enterprise system or port configured for TCP or UDP input on Splunk Connect for Syslog (SC4S) or syslog aggregator (for example, rsyslog, syslog-ng) as a network input.
   Target Type	UDP	Best practice. NOT the default.
   Maximum Length	8192	Events will be broken if you use a smaller value.

4. Tune all other fields at your discretion.

5. Add the new port(s) in order to enable receiving logs into Splunk
   • If the "Target Type" is TCP use Settings > Data Inputs > TCP > New Local TCP
   • If the "Target Type" is UDP use Settings > Data Inputs > UDP > New Local UDP
6. Click Save.
7. Go to the Remote Logging Targets page and verify the creation of the new target.

Add the new target to your desired logging categories

1. Choose Administration > System > Logging > Logging Categories.
2. Click the radio button next to the category that you want to edit, then click Edit.
3. Add the Splunk target that you created to the following categories. These are default log collection settings and can be tuned at your discretion:
   • AAA Audit
   • Failed Attempts
   • Passed Authentications
   • AAA Diagnostics
   • Accounting
   • RADIUS Accounting
   • Administrative and Operational Audit
   • Posture and Client Provisioning Audit
   • Posture and Client Provisioning Diagnostics
   • MDM
   • Profiler
   • System Diagnostics
   • System Statistics
4. Click Save.
5. Go to the Logging Categories page and verify the configuration changes that were made to the specific categories.

Confirm your installation and setup

To confirm that events are showing up correctly, run the following search over the last 15 minutes:

sourcetype=cisco:ise:syslog

If the search returns events from your ISE server, then you have successfully configured the add-on.

Configure Event Types on Splunk Search Head Instance

To use the CIM mapped fields, a user first needs to configure the event type to provide the index in which the data is being collected. To configure event type:

• Navigate to Settings > Event types.
• Select "Cisco Catalyst Add-on for Splunk" from the App dropdown.
• Click on "cisco_sdwan_index".
• Update "()" with "index=<your_configured_index>" in the existing definition to use your configured index.
• Click Save.

RELEASE NOTES

Version 1.1.1

• Fixed indextime extractions for Cisco DNA Center.

Version 1.1.0

• Added support for the data collection of Cisco Cyber Vision.

Version 1.0.0

• The Add-On supports the data collection for the following products:
  • Cisco Identity Services Engine
  • Cisco SD-WAN
  • Cisco DNA Center
• Added support for the additional log sources for Cisco SD-WAN:
  • ACL
  • SGACL

Lookups

• cisco_ise_message_catalog_420.csv: Maps MESSAGE_CODE to MESSAGE_CLASS, MESSAGE_TEXT
• cisco_ise_service.csv: Maps MESSAGE_CODE to SERVICE
• cisco_ise_change_message_code_420.csv: Maps MESSAGE_CODE to change_type, command, object, object_attrs, object_category, result
• cisco_ise_message_catalog_2024.csv: Maps MESSAGE_CODE to MESSAGE_CLASS, MESSAGE_TEXT, dataset_name, action, type
• cisco_cybervision_asset_site_system_mappings: Maps host with asset_system and site_id
• cisco_cybervision_severity_lookup: Maps severity_id with severity

TROUBLESHOOTING

• To check the fields extracted for Syslog data by the Cisco Catalyst Add-on for Splunk:
  • index=<your_index_name> sourcetype IN ("cisco:sdwan*", "cisco:ise:syslog") in Splunk in verbose mode.
  • "cisco:catalyst:syslog" must be selected as sourcetype while configuring the Syslog input.
• To check the fields extracted for Netflow data by the Cisco Catalyst Add-on for Splunk:
  • index=<your_index_name> sourcetype="stream*" in Splunk in verbose mode.
• To troubleshoot any issues related to the Cisco DNA Center data collection, perform the below steps:
  • Go to the Add-on's Configuration and enable logging.
  • Go to Search and enter the following query:
    index="__internal" source=*TA_cisco_catalyst_*
  • Execute the below search query to check for the data collected for Cisco DNA Center: index=<your_index_name> sourcetype=cisco:dnac:* in Verbose mode
• To troubleshoot any issues related to the Cisco Cyber Vision data collection, perform the below steps:
  • Check log files *_cybervision_*.log present at $SPLUNK_HOME/var/log/splunk.
  • Also, user can use index="_internal" source=*_cybervision_*.log ERROR query to see ERROR logs in the Splunk UI.
  • Try disabling and re-enabling the inputs.

NOTE

• Make sure that the user enables forwarding on a configured port from the Cisco SDWAN, Cisco Identity Services Engine after performing the above steps.
• $SPLUNK_HOME denotes the path where Splunk is installed. Ex: /opt/splunk

UNINSTALL & CLEANUP STEPS

• Remove $SPLUNK_HOME/etc/apps/TA_cisco_catalyst
• To reflect the cleanup changes in UI, Restart the Splunk Enterprise instance

BINARY FILE DECLARATION

• md.cpython-37m-x86_64-linux-gnu.so - This file is generated from nested lib dependency.
• md__mypyc.cpython-37m-x86_64-linux-gnu.so - This file is generated from nested lib dependency.

SUPPORT

• Support Offered: Yes
• Support Email: ciscosdwan-splunk-support@external.cisco.com

Copyright (c) 2024 Cisco Systems, Inc. All rights reserved.