Installation

Step 1: App installation

1. Install the Cisco Networks (cisco_ios) App on your search head
2. Install the Cisco Networks Add-on (TA-cisco_ios) on your search head AND indexers/heavy forwarders
3. Syslog input: Enable a UDP input with a custom port number on your Splunk forwarder or Splunk indexer. Set the sourcetype to cisco:ios or syslog

Step 2: Configure your Cisco devices

Cisco IOS

This includes all IOS variants. Not all commands are supported on all models

Basic logging and timestamping

service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service sequence-numbers
logging trap informational
logging host [YOUR SYSLOG/SPLUNK SERVER IP] transport udp port [YOUR UDP PORT]
      

Enable change auditing

archive
 log config
  logging enable
  logging size 200
  notify syslog contenttype plaintext
  hidekeys
!
login on-failure log
login on-success log
logging userinfo
!
ip ssh logging events
      

Monitor interface changes

General

logging event trunk-status global
logging event link-status global
	

Interface level

logging event trunk-status
logging event spanning-tree
logging event status
        

MAC move notifications, STP logging, IP SLA logging etc.

mac address-table notification mac-move
spanning-tree logging
ip sla logging traps
ip dhcp limit lease log
ip dhcp conflict logging
ip nat log translations syslog
xconnect logging pseudowire status
ntp logging
epm logging
      

For DHCP utilization logging on your devices, do this for each pool

utilization mark high 80 log
      

For ARP threshold logging, do this on your SVIs and IP interfaces

arp log threshold entries 2048
      

TrustSec

If you are using Cisco TrustSec, add the following

cts sxp log binding-changes
cts logging verbose
      

ACL logging

General

Remember to add the log or log-input keyword to your access list entries if you want to enable access list logging

Access list correlation tags

ip access-list logging hash-generation
      

CPU and Memory Utilization logging

This generates CPU and memory notifications. CPU notifications if the CPU has been over 80% for more than 5 seconds. Memory if there is less than 20000KB.

process cpu threshold type total rising 80 interval 5
memory free low-watermark processor 20000
memory free low-watermark io 20000
      

NX-OS

This includes all NX-OS variants. Not all commands are supported on all models

Basic logging and timestamping

logging logfile messages 6
logging server [YOUR SYSLOG/SPLUNK SERVER IP] 6 use-vrf [YOUR MGMT VRF]
logging timestamp milliseconds
logging monitor 6
no logging rate-limit
      

Enable change auditing

This feature is not supported on the NX-OS platform

Monitor interface changes

General

logging message interface type ethernet description
logging event link-status default
logging event trunk-status default
        

Interface level

logging event port link-status
logging event port trunk-status
        

MAC move notifications, STP logging, IP SLA logging etc.

mac address-table notification mac-move
ntp logging
      

ACL logging

General

Remember to add the log or log-input keyword to your access list entries if you want to enable access list logging

NX-OS ACL logging

logging level acllog 6
acllog match-log-level 6
logging logfile messages 6
      

Troubleshooting

Not seeing authentication results?

Results from wired 802.1x (DOT1X) authentications are sent with severity "level 7 - debugging". To correct this configure logging trap debugging on your device. Take extra precautions in actual debugging situations as "debug all" will result in a huge increase in events forwarded to your Splunk servers.

Not seeing Route Monitoring results?

In order to monitor Route Changes via Syslog, the following EEM applet must be configured on your routers:

event manager applet route-table-monitor
  event routing network 0.0.0.0/0 ge 1
  action 0.5 set msg "Route changed: Type: $_routing_type, Network: $_routing_network, Mask/Prefix: $_routing_mask, Protocol: $_routing_protocol, GW: $_routing_lastgateway, Intf: $_routing_lastinterface"
  action 1.0 syslog msg "$msg"
      

About this App

This App and the Cisco Networks Add-on was created by Mikael Bjerkeland (mikael@bjerkeland.com). Commercial support is available by contacting the author.
Community support is available at Splunkbase.