Detailed Usage Instructions for Cisco LCS Plug-In for Splunk

This add-on provides a modular input for Splunk, enabling the collection of various operational insights data from Cisco's Business Critical Services (BCS) API. It allows users to ingest detailed information about their Cisco assets, devices, configurations, security advisories, and more directly into Splunk for centralized monitoring, analysis, and reporting.

1. Prerequisites

Before installing and configuring this add-on, ensure you meet the following requirements:

• Cisco Advanced Services Contract: This add-on is designed for customers who have an active Cisco Advanced Services contract and access to the associated APIs.
• Cisco API Credentials: You must obtain a Client ID and Client Secret from Cisco's API Console portal. These credentials are required to authenticate with the Cisco BCS API. Please refer to Cisco's documentation on how to register an application and obtain these credentials.
• Splunk Environment: A running instance of Splunk Enterprise (version 8.x or higher recommended) or Splunk Cloud.
• Network Connectivity: Your Splunk instance must have outbound network access to https://api-cx.cisco.com. If you use a proxy, ensure your Splunk environment is configured to use it.

2. Installation

1. Download the Add-on: Obtain the TA-lcs-plug-in.tgz (or similar) file from Splunkbase.
2. Install in Splunk:
   • Log in to your Splunk Web interface.
   • Navigate to Apps > Manage Apps.
   • Click Install app from file.
   • Click Choose File and select the downloaded .tgz file.
   • Click Upload.
   • If prompted, restart Splunk for the changes to take effect.

3. Configuration

After installation, you need to configure a new data input to start collecting data.

1. Navigate to Data Inputs:

   • In Splunk Web, go to Settings > Data Inputs.
   • Locate LCS Plug-in (or the name TA-lcs-plug-in if displayed directly) under the list of available modular inputs.
   • Click Add New.

2. Configure Input Parameters:

   • Name: Provide a unique and descriptive name for this input (e.g., cisco_bcs_data_collection).
   • Client ID: Enter the Client ID you obtained from Cisco's API Console portal.
   • Client Secret: Enter the Client Secret you obtained from Cisco's API Console portal.
   • Interval: Specify how often the add-on should fetch data from the Cisco API, in seconds. A common value is 604800 (for weekly collection). Be mindful of API rate limits when setting this interval.

3. Save: Click Add to save your input configuration.

The add-on will now attempt to authenticate with the Cisco BCS API using your provided credentials and begin collecting data at the specified interval.

4. Data Collected

This add-on retrieves data from various Cisco BCS API endpoints and indexes it into Splunk with specific sourcetypes. The following data categories are collected:

• Inventory:
  • cisco:bcs:asset (Assets)
  • cisco:bcs:device (Devices)
  • cisco:bcs:devicegroup (Device Groups)
  • cisco:bcs:devicegroupmember (Device Group Members)
  • cisco:bcs:contractserial (Contract Serials)
  • cisco:bcs:collector (Collectors)
• Configuration Best Practices:
  • cisco:bcs:configbestpracticedetail (Details)
  • cisco:bcs:configbestpracticerule (Rules)
  • cisco:bcs:configbestpracticerulereference (Rule References)
  • cisco:bcs:configbestpracticesummary (Summary)
• Product Alerts:
  • cisco:bcs:fieldnotice (Field Notices)
  • cisco:bcs:fieldnoticebulletin (Field Notice Bulletins)
  • cisco:bcs:hardwareendoflife (Hardware End-of-Life)
  • cisco:bcs:hardwareendoflifebulletin (Hardware End-of-Life Bulletins)
  • cisco:bcs:securityadvisory (Security Advisories)
  • cisco:bcs:securityadvisorybulletin (Security Advisory Bulletins)
  • cisco:bcs:softwareadvisoryalert (Software Advisory Alerts)
  • cisco:bcs:softwareendoflife (Software End-of-Life)
  • cisco:bcs:softwareendoflifebulletin (Software End-of-Life Bulletins)
• Device Reset:
  • cisco:bcs:lastresetdetails (Last Reset Details)
  • cisco:bcs:resetcount (Reset Count)
  • cisco:bcs:resethistory (Reset History)
• Risk Mitigation:
  • cisco:bcs:riskmitigationdetails (Details)
  • cisco:bcs:riskmitigationsummary (Summary)
• Software Track:
  • cisco:bcs:softwaretrackmember (Members)
  • cisco:bcs:softwaretracksoftwaremaintenanceupgradecompliance (SMU Compliance)
  • cisco:bcs:softwaretracksoftwaremaintenanceupgraderecommendation (SMU Recommendations)
  • cisco:bcs:softwaretracksummary (Summary)
• Unidentified Inventory:
  • cisco:bcs:uirdetails (UIR Details)
  • cisco:bcs:uirsummary (UIR Summary)
• Place In Network:
  • cisco:bcs:pindetails (PIN Details)

All collected data will be indexed into the default index configured for your Splunk input, or a specific index if you override it in the input configuration.

5. Important Notes & Troubleshooting

• Cisco API Server: The API server URL (https://api-cx.cisco.com) is hardcoded within the add-on.
• API Rate Limiting: The add-on includes built-in rate limiting (10 calls per second, 10,000 calls per day) to comply with typical Cisco API usage policies. If the daily limit is reached, the add-on will log an error and stop collecting data until the next day.
• No Incremental Fetching: Currently, the add-on fetches all available data for each configured endpoint during every collection interval. Future versions may include incremental fetching.
• Logging: Check the Splunk internal logs (_internal index) for messages from the TA_lcs_plug_in source for any errors or warnings during data collection.
• Authentication Errors: If you encounter Failed to obtain JSON Web Token (JWT) errors, double-check your Client ID and Client Secret for accuracy.
• Network Issues: Ensure your Splunk instance can reach api-cx.cisco.com. Check firewall rules, proxy settings, and DNS resolution.
• Cisco EULA Compliance: This add-on facilitates data collection from Cisco APIs. Users are responsible for ensuring their use of the Cisco APIs and the data collected complies with their Cisco End User License Agreement (EULA) and any specific API terms of service.
• Support: This is a community-contributed add-on. For issues specifically related to the add-on's functionality, please refer to the Splunk Community or any provided GitHub repository for support. For issues with your Cisco API credentials or access to the Cisco BCS API, please contact Cisco Support.