icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Cisco Catalyst Add-on for Splunk
SHA256 checksum (cisco-catalyst-add-on-for-splunk_112.tgz) aefbca58fc0449322bdb0a7b596a44ac28d55be1ceafc1b86b81d8597de4a4fd SHA256 checksum (cisco-catalyst-add-on-for-splunk_111.tgz) c03a5d50b4cbc43e60be9b2755281d92776bb684b093a8790ed1eab9f748e3a8 SHA256 checksum (cisco-catalyst-add-on-for-splunk_110.tgz) 1779b160026f52211e9524d561b189a5e59908564b16ada56c3815b238da9ee5 SHA256 checksum (cisco-catalyst-add-on-for-splunk_100.tgz) 1bb16a2d73253b354f8743b7ad403e00c27169cb8a3e5b300f68a07e2408ee26
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

Cisco Catalyst Add-on for Splunk

Splunk Cloud
Overview
Details
Cisco Catalyst Add-on for Splunk collects data for different Cisco Products - **Cisco Identity Services Engine**, **Cisco Catalyst SD-WAN**, **Cisco Catalyst Center**, and **Cisco CyberVision**. The add-on parses the data from these sources and stores them into the Splunk indexes.

* Author - Cisco Systems
* Version - 1.1.1
* Build - 1
* Prerequisites - This application is dependent on **Splunk Add-on for Stream Forwarders**, **Splunk App for Stream** and **Cisco Catalyst Enhanced Netflow Add-on for Splunk** to collect Netflow Data.

Cisco Catalyst Add-on for Splunk

OVERVIEW

Cisco Catalyst Add-on for Splunk collects data for different Cisco Products - Cisco Identity Services Engine, Cisco Catalyst SD-WAN, Cisco Catalyst Center, and Cisco CyberVision. The add-on parses the data from these sources and stores them into the Splunk indexes.

  • Author - Cisco Systems
  • Version - 1.1.1
  • Build - 1
  • Prerequisites - This application is dependent on Splunk Add-on for Stream Forwarders, Splunk App for Stream and Cisco Catalyst Enhanced Netflow Add-on for Splunk to collect Netflow Data.

COMPATIBILITY MATRIX

  • Browser: Google Chrome, Mozilla Firefox & Safari
  • OS: Linux, macOS, Windows
  • Splunk Enterprise Version: Splunk 9.1.x, Splunk 9.2.x, Splunk 9.3.x
  • Supported Splunk Deployment: Standalone, Distributed & Cluster
  • Splunk Add-on for Stream Forwarders (Third Party Dependency): 8.1.0 & 8.0.2
  • Splunk App for Stream (Third Party Dependency): 8.1.0 & 8.0.2
  • Cisco Catalyst Enhanced Netflow Add-on for Splunk (Third Party Dependency): 1.0.0

RECOMMENDED SYSTEM CONFIGURATION

TOPOLOGY AND SETTING UP SPLUNK ENVIRONMENT

  • This app has been distributed in two parts.

    1. Cisco Catalyst Add-on for Splunk, which parses collected Syslog, Modular Input and NetFlow data.
    2. Cisco Enterprise Networking for Splunk Platform, which adds dashboards to visualize Syslog, Modular Input and NetFlow data.
  • This app can be set up in two ways:

1) Standalone Mode

  • Install the "Cisco Enterprise Networking for Splunk Platform" and "Cisco Catalyst Add-on for Splunk" on a single machine. This single machine would serve as a Search Head + Indexer + Heavy Forwarder for this setup.
  • The "Cisco Enterprise Networking for Splunk Platform" uses the data parsed by the "Cisco Catalyst Add-on for Splunk" and builds dashboards on it.

2) Distributed Environment

  • Install the "Cisco Enterprise Networking for Splunk Platform" and "Cisco Catalyst Add-on for Splunk" on the search head.
  • Install only "Cisco Catalyst Add-on for Splunk" on the heavy forwarder.
  • User needs to manually create an index on the Indexer (No need to install "Cisco Enterprise Networking for Splunk Platform" on Indexer).
  • Note: Installation of "Cisco Catalyst Add-on for Splunk" on Indexer is required in case of universal forwarder.

INSTALLATION

"Cisco Catalyst Add-On For Splunk" can be installed through : unique name to describe as shown below. Alternatively, .tar or .spl file can also be extracted directly into $SPLUNK_HOME/etc/apps/ directory.

  1. Log in to Splunk Web and navigate to Apps > Manage Apps.
  2. Click Install the app from file.
  3. Click Choose file and select the TA_cisco_catalyst installation file.
  4. Click on Upload.
  5. Restart Splunk

UPGRADE

General upgrade steps:

  • Log in to Splunk Web and navigate to Cisco Catalyst Add-on for Splunk -> Inputs.
  • Here disable all configured Inputs.
  • Navigate to Apps -> Manage Apps on Splunk menu bar.
  • Click Install app from file.
  • Click Choose file and select the Cisco Catalyst Add-on for Splunk installation file.
  • Check the Upgrade checkbox.
  • Click on Upload.
  • Restart Splunk.

Upgrade to v1.1.0

  • Follow the General upgrade steps section.

CONFIGURATION

Configure Inputs on Splunk for Modular Inputs Data

To add Data Inputs follow the steps below:

For DNA Center

  1. Configure a Cisco DNA Center User Account.
  2. Configure Data Inputs:
    • Name: Unique name to describe the data input
    • Interval: Time interval to request the data from Cisco DNA Center.
    • Index: Splunk index.
    • Cisco DNA Center Host: The DNA Center's base URL (for example: https://sandboxdnac.cisco.com:443). Use https.
    • Cisco DNA Center user account.
  3. Repeat step 1 or 2 for every combination of user account, base URL and data inputs as needed.

For Cyber Vision

  1. Configure a Cisco Cyber Vision Account.

    • Account Name: Unique name to describe the user account.
    • IP Address/Domain: IP Address of the Cisco Cyber Vision portal (Use https).
    • API Token: API Token generated from Cyber Vision for the above account.
    • Use Custom CA Certificate: Enable or disable use of Custom CA Certification for this account.
    • Custom CA Certificate: Custom CA Certificate for this account.
    • Enable Proxy: Enable or disable use of Proxy for this account.
    • Proxy Type: Proxy protocol.
    • Proxy URL: Server Address of Proxy Host.
    • Proxy Port: Port to the proxy server.
    • Proxy Username: Username of the proxy server if it exists.
    • Proxy Password: Password of the proxy server if it exists.
  2. Configure Data Inputs:

    • Name: Unique name to describe the data input
    • Interval: Time interval to request the data from Cisco Cyber Vision.
    • Index: Splunk index.
    • Cisco Cyber Vision user account.
    • Start Date: Start Time and Date from where data needs to be collected (format: YYYY-MM-DDTHH:MM:SSZ).
  3. Repeat step 1 or 2 for every combination of user account, start date and data inputs as needed.

SSL Configuration

  1. By default, the API calls from the Cisco Catalyst Add-on for Splunk would be verified by SSL. The configurations are present in $SPLUNK_HOME/etc/apps/TA_cisco_catalyst/default/ta_cisco_catalyst_settings.conf file:
    [additional_parameters] verify_ssl = True
  2. In order to make unverified calls, change the SSL verification to False. To do that, navigate to $SPLUNK_HOME/etc/apps/TA_cisco_catalyst/local/ta_cisco_catalyst_settings.conf file and change the verify_ssl parameter value to False under additional_parameters stanza. Create a stanza if its not present already.
  3. To add a custom SSL certificate to the certificate chain, use the option available in the user interface while configuring a DNA Center or Cyber Vision account.
  4. Restart the Splunk in order for the changes to take effect.

Configure Inputs on Splunk for Syslog Data

The Cisco Catalyst Add-on for Splunk manages inputs through TCP/UDP inputs provided by Splunk. The Add-on collects the syslog data from Cisco SD-WAN, Cisco ISE as well as Cisco Cyber Vision through the TCP/UDP inputs. To configure inputs:

  • Login to Splunk WEB UI.
  • Navigate to Settings > Data inputs.
  • Choose TCP or UDP and click New.
  • In the left pane, click TCP / UDP to add an input.
  • Click the TCP or UDP button to choose between a TCP or UDP input.
  • In the Port field, enter a port number on which you are forwarding the logs from Cisco SD-WAN and Cisco ISE.
    • In order to forward the logs from Cisco Cyber Vision, create another TCP/UDP Port using the same method.
  • In the Source name override field, enter a new source name to override the default source value, if necessary.
  • Click Next to continue to the Input Settings page.
  • Set the sourcetype as cisco:catalyst:syslog for Cisco SD-WAN and Cisco ISE. Set the sourcetype as cisco:cybervision:syslog for Cisco Cyber Vision.
  • Set "App" context to Cisco Catalyst Add-on.
  • Set the Index that Splunk Enterprise should send data to for this input.
  • Click Review.
  • Click Submit once you have ensured everything is correct.

Once the input is configured, execute the following query to see if Syslog events are being received.
For Cisco SD-WAN and Cisco ISE:
index=<configured_index> sourcetype IN ("cisco:sdwan*", "cisco:ise:syslog")
For Cisco Cyber Vision:
index=<configured_index> sourcetype="cisco:cybervision:syslog"

Notes

  1. For a better user experience, make sure you disable the Cisco ISE, Cisco SD-WAN and Cisco Cyber Vision Add-Ons if you have enabled it in your Splunk environment.
    • To disable the Add-Ons, go to Manage Apps > Search for TA name > Disable.
  2. If you have any existing TCP/UDP inputs created for the Cisco ISE, Cisco SD-WAN and Cisco Cyber Vision Add-Ons, ensure that you disable those inputs as well and create a new TCP/UDP input as mentioned above.

Configure Inputs on Splunk for Netflow Data

Configure Cisco ISE to send logs to Splunk Enterprise for the Splunk Add-on for Cisco ISE

To enable to Splunk Enterprise to receive data from your Cisco ISE remote system logging, complete these steps:

  • Create a remote logging target.
  • Add the target to the appropriate logging categories.

The following sections provide detailed configuration instructions.

For more information, see the Logging section of the Cisco ISE Administrator Guide provided by Cisco.

Steps to follow

  • Once the "Splunk App for Stream", "Splunk Add-on for Stream Forwarders" and "Cisco Catalyst Enhanced Netflow Add-on for Splunk" are installed in the desired Splunk Instance.
  • Open "Splunk App for Stream" > Click on "Configuration" > Click on "Configure Streams"
  • In the "Search" filter search for the keyword "netflow" and Update the "Mode" to "Disabled".
  • In the "Search" filter search for the keyword "cisco_hsl_cisco_hsl_netflow".
  • For "cisco_hsl_cisco_hsl_netflow" stream > Goto "Action" > "Edit"
  • Update the "Mode" to "Enabled" & select the desired index, by default "main" will be selected.
  • Click on Save.
  • SSH into the Destination VM example VM: X.X.X.X (should be replaced with the VM in which data is been collected)
  • Goto Location: $SPLUNK_HOME/etc/apps/Splunk_TA_stream/local
  • Create a "streamfwd.conf" in the "local" folder
  • Sample format of 'streamfwd.conf' as below:
    [streamfwd] netflowReceiver.<N>.ip = <ip_address> netflowReceiver.<N>.port = <port_number> netflowReceiver.<N>.decoder = <flow_protocol>
  • Below is an example file for the ip x.x.x.x and port 4739:
    [streamfwd] netflowReceiver.0.ip = x.x.x.x netflowReceiver.0.port = 4739 netflowReceiver.0.decoder = netflow
  • Save the changes.
  • All the NetFlow events will get ingested in the Destination VM: X.X.X.X (should be replaced with the VM in which data is been collected)
  • Verify the ingestion of events by using the following query from the "Destination VM: X.X.X.X" (should be replaced with the VM in which data is been collected)
    • index="<desired index name>" sourcetype="stream*"

Note: Refer to the documentation for setting up a new Netflow stream.

Create remote logging target

  1. In Cisco ISE, choose Administration > System > Logging > Remote Logging Targets.
  2. Click Add.
  3. Configure the following fields:

    Field Value Description
    Name Splunk Target name, also used below in the category
    IP Address 1.1.1.2 (for example) IP address of the Splunk Enterprise system
    Port 514 (for example) Port that you are using on the Splunk Enterprise system or port configured for TCP or UDP input on Splunk Connect for Syslog (SC4S) or syslog aggregator (for example, rsyslog, syslog-ng) as a network input.
    Target Type UDP Best practice. NOT the default.
    Maximum Length 8192 Events will be broken if you use a smaller value.
  4. Tune all other fields at your discretion.

  5. Add the new port(s) in order to enable receiving logs into Splunk
    • If the "Target Type" is TCP use Settings > Data Inputs > TCP > New Local TCP
    • If the "Target Type" is UDP use Settings > Data Inputs > UDP > New Local UDP
  6. Click Save.
  7. Go to the Remote Logging Targets page and verify the creation of the new target.

Add the new target to your desired logging categories

  1. Choose Administration > System > Logging > Logging Categories.
  2. Click the radio button next to the category that you want to edit, then click Edit.
  3. Add the Splunk target that you created to the following categories. These are default log collection settings and can be tuned at your discretion:
    • AAA Audit
    • Failed Attempts
    • Passed Authentications
    • AAA Diagnostics
    • Accounting
    • RADIUS Accounting
    • Administrative and Operational Audit
    • Posture and Client Provisioning Audit
    • Posture and Client Provisioning Diagnostics
    • MDM
    • Profiler
    • System Diagnostics
    • System Statistics
  4. Click Save.
  5. Go to the Logging Categories page and verify the configuration changes that were made to the specific categories.

Confirm your installation and setup

To confirm that events are showing up correctly, run the following search over the last 15 minutes:

sourcetype=cisco:ise:syslog

If the search returns events from your ISE server, then you have successfully configured the add-on.

Configure Event Types on Splunk Search Head Instance

To use the CIM mapped fields, a user first needs to configure the event type to provide the index in which the data is being collected. To configure event type:

  • Navigate to Settings > Event types.
  • Select "Cisco Catalyst Add-on for Splunk" from the App dropdown.
  • Click on "cisco_sdwan_index".
  • Update "()" with "index=<your_configured_index>" in the existing definition to use your configured index.
  • Click Save.

RELEASE NOTES

Version 1.1.1

  • Fixed indextime extractions for Cisco DNA Center.

Version 1.1.0

  • Added support for the data collection of Cisco Cyber Vision.

Version 1.0.0

  • The Add-On supports the data collection for the following products:
    • Cisco Identity Services Engine
    • Cisco SD-WAN
    • Cisco DNA Center
  • Added support for the additional log sources for Cisco SD-WAN:
    • ACL
    • SGACL

Lookups

  • cisco_ise_message_catalog_420.csv: Maps MESSAGE_CODE to MESSAGE_CLASS, MESSAGE_TEXT
  • cisco_ise_service.csv: Maps MESSAGE_CODE to SERVICE
  • cisco_ise_change_message_code_420.csv: Maps MESSAGE_CODE to change_type, command, object, object_attrs, object_category, result
  • cisco_ise_message_catalog_2024.csv: Maps MESSAGE_CODE to MESSAGE_CLASS, MESSAGE_TEXT, dataset_name, action, type
  • cisco_cybervision_asset_site_system_mappings: Maps host with asset_system and site_id
  • cisco_cybervision_severity_lookup: Maps severity_id with severity

TROUBLESHOOTING

  • To check the fields extracted for Syslog data by the Cisco Catalyst Add-on for Splunk:
    • index=<your_index_name> sourcetype IN ("cisco:sdwan*", "cisco:ise:syslog") in Splunk in verbose mode.
    • "cisco:catalyst:syslog" must be selected as sourcetype while configuring the Syslog input.
  • To check the fields extracted for Netflow data by the Cisco Catalyst Add-on for Splunk:
    • index=<your_index_name> sourcetype="stream*" in Splunk in verbose mode.
  • To troubleshoot any issues related to the Cisco DNA Center data collection, perform the below steps:
    • Go to the Add-on's Configuration and enable logging.
    • Go to Search and enter the following query:
      index="__internal" source=*TA_cisco_catalyst_*
    • Execute the below search query to check for the data collected for Cisco DNA Center: index=<your_index_name> sourcetype=cisco:dnac:* in Verbose mode
  • To troubleshoot any issues related to the Cisco Cyber Vision data collection, perform the below steps:
    • Check log files *_cybervision_*.log present at $SPLUNK_HOME/var/log/splunk.
    • Also, user can use index="_internal" source=*_cybervision_*.log ERROR query to see ERROR logs in the Splunk UI.
    • Try disabling and re-enabling the inputs.

NOTE

  • Make sure that the user enables forwarding on a configured port from the Cisco SDWAN, Cisco Identity Services Engine after performing the above steps.
  • $SPLUNK_HOME denotes the path where Splunk is installed. Ex: /opt/splunk

UNINSTALL & CLEANUP STEPS

  • Remove $SPLUNK_HOME/etc/apps/TA_cisco_catalyst
  • To reflect the cleanup changes in UI, Restart the Splunk Enterprise instance

BINARY FILE DECLARATION

  • md.cpython-37m-x86_64-linux-gnu.so - This file is generated from nested lib dependency.
  • md__mypyc.cpython-37m-x86_64-linux-gnu.so - This file is generated from nested lib dependency.

SUPPORT

Copyright (c) 2024 Cisco Systems, Inc. All rights reserved.

Release Notes

Version 1.1.2
March 27, 2025

Version 1.1.2

  • Removed timestamp parameters from client-health and network-health endpoints for DNA Center.
  • Updated device-health endpoint for DNA Center to collect the data for last 15 minutes.

Version 1.1.1

  • Fixed indextime extractions for Cisco DNA Center.

Version 1.1.0

  • Added support for the data collection of Cisco Cyber Vision.

Version 1.0.0

  • The Add-On supports the data collection for the following products:
    • Cisco Identity Services Engine
    • Cisco SD-WAN
    • Cisco DNA Center
  • Added support for the additional log sources for Cisco SD-WAN:
    • ACL
    • SGACL
Version 1.1.1
Jan. 8, 2025

RELEASE NOTES

Version 1.1.2

  • Removed timestamp parameters from client-health and network-health endpoints for DNA Center.
  • Updated device-health endpoint for DNA Center to collect the data for last 15 minutes.

Version 1.1.1

  • Fixed indextime extractions for Cisco DNA Center.

Version 1.1.0

  • Added support for the data collection of Cisco Cyber Vision.

Version 1.0.0

  • The Add-On supports the data collection for the following products:
    • Cisco Identity Services Engine
    • Cisco SD-WAN
    • Cisco DNA Center
  • Added support for the additional log sources for Cisco SD-WAN:
    • ACL
    • SGACL
    • Audit
Version 1.1.0
Nov. 15, 2024
  • Added support for the data collection of Cisco CyberVision.
Version 1.0.0
Sept. 10, 2024

Version 1.0.0

  • The Add-On supports the data collection for the following products:
    • Cisco Identity Services Engine
    • Cisco Catalyst SD-WAN
    • Cisco Catalyst Center
  • Added support for the additional log sources for Cisco Catalyst SD-WAN:
    • ACL
    • SGACL
    • Audit

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk LLC in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.