Cisco Catalyst Add-on for Splunk
OVERVIEW
Cisco Catalyst Add-on for Splunk collects data for different Cisco Products - Cisco Identity Services Engine, Cisco Catalyst SD-WAN, Cisco Catalyst Center, and Cisco CyberVision. The add-on parses the data from these sources and stores them into the Splunk indexes.
- Author - Cisco Systems
- Version - 1.1.1
- Build - 1
- Prerequisites - This application is dependent on Splunk Add-on for Stream Forwarders, Splunk App for Stream and Cisco Catalyst Enhanced Netflow Add-on for Splunk to collect Netflow Data.
COMPATIBILITY MATRIX
- Browser: Google Chrome, Mozilla Firefox & Safari
- OS: Linux, macOS, Windows
- Splunk Enterprise Version: Splunk 9.1.x, Splunk 9.2.x, Splunk 9.3.x
- Supported Splunk Deployment: Standalone, Distributed & Cluster
- Splunk Add-on for Stream Forwarders (Third Party Dependency): 8.1.0 & 8.0.2
- Splunk App for Stream (Third Party Dependency): 8.1.0 & 8.0.2
- Cisco Catalyst Enhanced Netflow Add-on for Splunk (Third Party Dependency): 1.0.0
RECOMMENDED SYSTEM CONFIGURATION
TOPOLOGY AND SETTING UP SPLUNK ENVIRONMENT
1) Standalone Mode
- Install the "Cisco Enterprise Networking for Splunk Platform" and "Cisco Catalyst Add-on for Splunk" on a single machine. This single machine would serve as a Search Head + Indexer + Heavy Forwarder for this setup.
- The "Cisco Enterprise Networking for Splunk Platform" uses the data parsed by the "Cisco Catalyst Add-on for Splunk" and builds dashboards on it.
2) Distributed Environment
- Install the "Cisco Enterprise Networking for Splunk Platform" and "Cisco Catalyst Add-on for Splunk" on the search head.
- Install only "Cisco Catalyst Add-on for Splunk" on the heavy forwarder.
- User needs to manually create an index on the Indexer (No need to install "Cisco Enterprise Networking for Splunk Platform" on Indexer).
- Note: Installation of "Cisco Catalyst Add-on for Splunk" on Indexer is required in case of universal forwarder.
INSTALLATION
"Cisco Catalyst Add-On For Splunk" can be installed through : unique name to describe as shown below. Alternatively, .tar
or .spl
file can also be extracted directly into $SPLUNK_HOME/etc/apps/ directory.
- Log in to Splunk Web and navigate to Apps > Manage Apps.
- Click
Install the app from file
.
- Click
Choose file
and select the TA_cisco_catalyst
installation file.
- Click on
Upload
.
- Restart Splunk
UPGRADE
General upgrade steps:
- Log in to Splunk Web and navigate to Cisco Catalyst Add-on for Splunk -> Inputs.
- Here disable all configured Inputs.
- Navigate to Apps -> Manage Apps on Splunk menu bar.
- Click Install app from file.
- Click Choose file and select the Cisco Catalyst Add-on for Splunk installation file.
- Check the Upgrade checkbox.
- Click on Upload.
- Restart Splunk.
Upgrade to v1.1.0
- Follow the General upgrade steps section.
CONFIGURATION
Configure Inputs on Splunk for Modular Inputs Data
To add Data Inputs follow the steps below:
For DNA Center
- Configure a Cisco DNA Center User Account.
- Configure Data Inputs:
- Name: Unique name to describe the data input
- Interval: Time interval to request the data from Cisco DNA Center.
- Index: Splunk index.
- Cisco DNA Center Host: The DNA Center's base URL (for example: https://sandboxdnac.cisco.com:443). Use https.
- Cisco DNA Center user account.
- Repeat step 1 or 2 for every combination of user account, base URL and data inputs as needed.
For Cyber Vision
-
Configure a Cisco Cyber Vision Account.
- Account Name: Unique name to describe the user account.
- IP Address/Domain: IP Address of the Cisco Cyber Vision portal (Use https).
- API Token: API Token generated from Cyber Vision for the above account.
- Use Custom CA Certificate: Enable or disable use of Custom CA Certification for this account.
- Custom CA Certificate: Custom CA Certificate for this account.
- Enable Proxy: Enable or disable use of Proxy for this account.
- Proxy Type: Proxy protocol.
- Proxy URL: Server Address of Proxy Host.
- Proxy Port: Port to the proxy server.
- Proxy Username: Username of the proxy server if it exists.
- Proxy Password: Password of the proxy server if it exists.
-
Configure Data Inputs:
- Name: Unique name to describe the data input
- Interval: Time interval to request the data from Cisco Cyber Vision.
- Index: Splunk index.
- Cisco Cyber Vision user account.
- Start Date: Start Time and Date from where data needs to be collected (format: YYYY-MM-DDTHH:MM:SSZ).
- Repeat step 1 or 2 for every combination of user account, start date and data inputs as needed.
SSL Configuration
- By default, the API calls from the Cisco Catalyst Add-on for Splunk would be verified by SSL. The configurations are present in $SPLUNK_HOME/etc/apps/TA_cisco_catalyst/default/ta_cisco_catalyst_settings.conf file:
[additional_parameters]
verify_ssl = True
- In order to make unverified calls, change the SSL verification to False. To do that, navigate to $SPLUNK_HOME/etc/apps/TA_cisco_catalyst/local/ta_cisco_catalyst_settings.conf file and change the verify_ssl parameter value to False under additional_parameters stanza. Create a stanza if its not present already.
- To add a custom SSL certificate to the certificate chain, use the option available in the user interface while configuring a DNA Center or Cyber Vision account.
- Restart the Splunk in order for the changes to take effect.
Configure Inputs on Splunk for Syslog Data
The Cisco Catalyst Add-on for Splunk manages inputs through TCP/UDP inputs provided by Splunk. The Add-on collects the syslog data from Cisco SD-WAN, Cisco ISE as well as Cisco Cyber Vision through the TCP/UDP inputs. To configure inputs:
- Login to Splunk WEB UI.
- Navigate to Settings > Data inputs.
- Choose TCP or UDP and click New.
- In the left pane, click TCP / UDP to add an input.
- Click the TCP or UDP button to choose between a TCP or UDP input.
- In the Port field, enter a port number on which you are forwarding the logs from Cisco SD-WAN and Cisco ISE.
- In order to forward the logs from Cisco Cyber Vision, create another TCP/UDP Port using the same method.
- In the Source name override field, enter a new source name to override the default source value, if necessary.
- Click Next to continue to the Input Settings page.
- Set the sourcetype as
cisco:catalyst:syslog
for Cisco SD-WAN and Cisco ISE. Set the sourcetype as cisco:cybervision:syslog
for Cisco Cyber Vision.
- Set "App" context to Cisco Catalyst Add-on.
- Set the Index that Splunk Enterprise should send data to for this input.
- Click Review.
- Click Submit once you have ensured everything is correct.
Once the input is configured, execute the following query to see if Syslog events are being received.
For Cisco SD-WAN and Cisco ISE:
index=<configured_index> sourcetype IN ("cisco:sdwan*", "cisco:ise:syslog")
For Cisco Cyber Vision:
index=<configured_index> sourcetype="cisco:cybervision:syslog"
Notes
- For a better user experience, make sure you disable the Cisco ISE, Cisco SD-WAN and Cisco Cyber Vision Add-Ons if you have enabled it in your Splunk environment.
- To disable the Add-Ons, go to Manage Apps > Search for TA name > Disable.
- If you have any existing TCP/UDP inputs created for the Cisco ISE, Cisco SD-WAN and Cisco Cyber Vision Add-Ons, ensure that you disable those inputs as well and create a new TCP/UDP input as mentioned above.
Configure Inputs on Splunk for Netflow Data
Configure Cisco ISE to send logs to Splunk Enterprise for the Splunk Add-on for Cisco ISE
To enable to Splunk Enterprise to receive data from your Cisco ISE remote system logging, complete these steps:
- Create a remote logging target.
- Add the target to the appropriate logging categories.
The following sections provide detailed configuration instructions.
For more information, see the Logging section of the Cisco ISE Administrator Guide provided by Cisco.
Steps to follow
- Once the "Splunk App for Stream", "Splunk Add-on for Stream Forwarders" and "Cisco Catalyst Enhanced Netflow Add-on for Splunk" are installed in the desired Splunk Instance.
- Open "Splunk App for Stream" > Click on "Configuration" > Click on "Configure Streams"
- In the "Search" filter search for the keyword "netflow" and Update the "Mode" to "Disabled".
- In the "Search" filter search for the keyword "cisco_hsl_cisco_hsl_netflow".
- For "cisco_hsl_cisco_hsl_netflow" stream > Goto "Action" > "Edit"
- Update the "Mode" to "Enabled" & select the desired index, by default "main" will be selected.
- Click on Save.
- SSH into the Destination VM example VM: X.X.X.X (should be replaced with the VM in which data is been collected)
- Goto Location: $SPLUNK_HOME/etc/apps/Splunk_TA_stream/local
- Create a "streamfwd.conf" in the "local" folder
- Sample format of 'streamfwd.conf' as below:
[streamfwd]
netflowReceiver.<N>.ip = <ip_address>
netflowReceiver.<N>.port = <port_number>
netflowReceiver.<N>.decoder = <flow_protocol>
- Below is an example file for the ip x.x.x.x and port 4739:
[streamfwd]
netflowReceiver.0.ip = x.x.x.x
netflowReceiver.0.port = 4739
netflowReceiver.0.decoder = netflow
- Save the changes.
- All the NetFlow events will get ingested in the Destination VM: X.X.X.X (should be replaced with the VM in which data is been collected)
- Verify the ingestion of events by using the following query from the "Destination VM: X.X.X.X" (should be replaced with the VM in which data is been collected)
- index="<desired index name>" sourcetype="stream*"
Note: Refer to the documentation for setting up a new Netflow stream.
Create remote logging target
- In Cisco ISE, choose Administration > System > Logging > Remote Logging Targets.
- Click Add.
-
Configure the following fields:
Field |
Value |
Description |
Name |
Splunk |
Target name, also used below in the category |
IP Address |
1.1.1.2 (for example) |
IP address of the Splunk Enterprise system |
Port |
514 (for example) |
Port that you are using on the Splunk Enterprise system or port configured for TCP or UDP input on Splunk Connect for Syslog (SC4S) or syslog aggregator (for example, rsyslog, syslog-ng) as a network input. |
Target Type |
UDP |
Best practice. NOT the default. |
Maximum Length |
8192 |
Events will be broken if you use a smaller value. |
-
Tune all other fields at your discretion.
- Add the new port(s) in order to enable receiving logs into Splunk
- If the "Target Type" is TCP use Settings > Data Inputs > TCP > New Local TCP
- If the "Target Type" is UDP use Settings > Data Inputs > UDP > New Local UDP
- Click Save.
- Go to the Remote Logging Targets page and verify the creation of the new target.
Add the new target to your desired logging categories
- Choose Administration > System > Logging > Logging Categories.
- Click the radio button next to the category that you want to edit, then click Edit.
- Add the Splunk target that you created to the following categories. These are default log collection settings and can be tuned at your discretion:
- AAA Audit
- Failed Attempts
- Passed Authentications
- AAA Diagnostics
- Accounting
- RADIUS Accounting
- Administrative and Operational Audit
- Posture and Client Provisioning Audit
- Posture and Client Provisioning Diagnostics
- MDM
- Profiler
- System Diagnostics
- System Statistics
- Click Save.
- Go to the Logging Categories page and verify the configuration changes that were made to the specific categories.
Confirm your installation and setup
To confirm that events are showing up correctly, run the following search over the last 15 minutes:
sourcetype=cisco:ise:syslog
If the search returns events from your ISE server, then you have successfully configured the add-on.
Configure Event Types on Splunk Search Head Instance
To use the CIM mapped fields, a user first needs to configure the event type to provide the index in which the data is being collected. To configure event type:
- Navigate to Settings > Event types.
- Select "Cisco Catalyst Add-on for Splunk" from the App dropdown.
- Click on "cisco_sdwan_index".
- Update "()" with "index=<your_configured_index>" in the existing definition to use your configured index.
- Click Save.
RELEASE NOTES
Version 1.1.1
- Fixed indextime extractions for Cisco DNA Center.
Version 1.1.0
- Added support for the data collection of Cisco Cyber Vision.
Version 1.0.0
- The Add-On supports the data collection for the following products:
- Cisco Identity Services Engine
- Cisco SD-WAN
- Cisco DNA Center
- Added support for the additional log sources for Cisco SD-WAN:
Lookups
- cisco_ise_message_catalog_420.csv: Maps
MESSAGE_CODE
to MESSAGE_CLASS
, MESSAGE_TEXT
- cisco_ise_service.csv: Maps
MESSAGE_CODE
to SERVICE
- cisco_ise_change_message_code_420.csv: Maps
MESSAGE_CODE
to change_type
, command
, object
, object_attrs
, object_category
, result
- cisco_ise_message_catalog_2024.csv: Maps
MESSAGE_CODE
to MESSAGE_CLASS
, MESSAGE_TEXT
, dataset_name
, action
, type
- cisco_cybervision_asset_site_system_mappings: Maps
host
with asset_system
and site_id
- cisco_cybervision_severity_lookup: Maps
severity_id
with severity
TROUBLESHOOTING
- To check the fields extracted for Syslog data by the Cisco Catalyst Add-on for Splunk:
index=<your_index_name> sourcetype IN ("cisco:sdwan*", "cisco:ise:syslog")
in Splunk in verbose mode.
- "cisco:catalyst:syslog" must be selected as sourcetype while configuring the Syslog input.
- To check the fields extracted for Netflow data by the Cisco Catalyst Add-on for Splunk:
index=<your_index_name> sourcetype="stream*"
in Splunk in verbose mode.
- To troubleshoot any issues related to the Cisco DNA Center data collection, perform the below steps:
- Go to the Add-on's Configuration and enable logging.
- Go to Search and enter the following query:
index="__internal" source=*TA_cisco_catalyst_*
- Execute the below search query to check for the data collected for Cisco DNA Center:
index=<your_index_name> sourcetype=cisco:dnac:*
in Verbose mode
- To troubleshoot any issues related to the Cisco Cyber Vision data collection, perform the below steps:
- Check log files
*_cybervision_*.log
present at $SPLUNK_HOME/var/log/splunk
.
- Also, user can use
index="_internal" source=*_cybervision_*.log ERROR
query to see ERROR logs in the Splunk UI.
- Try disabling and re-enabling the inputs.
NOTE
- Make sure that the user enables forwarding on a configured port from the Cisco SDWAN, Cisco Identity Services Engine after performing the above steps.
- $SPLUNK_HOME denotes the path where Splunk is installed. Ex: /opt/splunk
UNINSTALL & CLEANUP STEPS
- Remove $SPLUNK_HOME/etc/apps/TA_cisco_catalyst
- To reflect the cleanup changes in UI, Restart the Splunk Enterprise instance
BINARY FILE DECLARATION
- md.cpython-37m-x86_64-linux-gnu.so - This file is generated from nested lib dependency.
- md__mypyc.cpython-37m-x86_64-linux-gnu.so - This file is generated from nested lib dependency.
SUPPORT
Copyright (c) 2024 Cisco Systems, Inc. All rights reserved.