admingit
/
Splunk_deploy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'main'
${ noResults }
Splunk_deploy/deployment-apps/cisco_ios/default/data/ui/views/help.xml

166 lines
5.8 KiB
Raw Permalink Blame History

<dashboard version="1.1">
<label>Help</label>
<row>
<panel>
<html>
<section>
<h1>Installation</h1>
<h2>Step 1: App installation</h2>
<ol>
<li>Install the Cisco Networks (cisco_ios) App on your search head</li>
<li>Install the Cisco Networks Add-on (TA-cisco_ios) on your search head AND indexers/heavy forwarders</li>
<li>Syslog input: Enable a UDP input with a custom port number on your Splunk forwarder or Splunk indexer. Set the sourcetype to <b>cisco:ios</b> or <b>syslog</b></li>
</ol>
</section>
<section>
<h2>Step 2: Configure your Cisco devices</h2>
<h3>Cisco IOS</h3>
<p>This includes all IOS variants. Not all commands are supported on all models</p>
<h4>Basic logging and timestamping</h4>
<pre>
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service sequence-numbers
logging trap informational
logging host [YOUR SYSLOG/SPLUNK SERVER IP] transport udp port [YOUR UDP PORT]
</pre>
<h4>Enable change auditing</h4>
<pre>
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
!
login on-failure log
login on-success log
logging userinfo
!
ip ssh logging events
</pre>
<h4>Monitor interface changes</h4>
<h5>General</h5>
<pre>
logging event trunk-status global
logging event link-status global
</pre>
<h5>Interface level</h5>
<pre>
logging event trunk-status
logging event spanning-tree
logging event status
</pre>
<h4>MAC move notifications, STP logging, IP SLA logging etc.</h4>
<pre>
mac address-table notification mac-move
spanning-tree logging
ip sla logging traps
ip dhcp limit lease log
ip dhcp conflict logging
ip nat log translations syslog
xconnect logging pseudowire status
ntp logging
epm logging
</pre>
<h4>For DHCP utilization logging on your devices, do this for each pool</h4>
<pre>
utilization mark high 80 log
</pre>
<h4>For ARP threshold logging, do this on your SVIs and IP interfaces</h4>
<pre>
arp log threshold entries 2048
</pre>
<h4>TrustSec</h4>
<p>If you are using Cisco TrustSec, add the following</p>
<pre>
cts sxp log binding-changes
cts logging verbose
</pre>
<h4>ACL logging</h4>
<h5>General</h5>
<p>Remember to add the <b>log</b> or <b>log-input</b> keyword to your access list entries if you want to enable access list logging</p>
<h5>Access list correlation tags</h5>
<pre>
ip access-list logging hash-generation
</pre>
<h4>CPU and Memory Utilization logging</h4>
<p>This generates CPU and memory notifications. CPU notifications if the CPU has been over 80% for more than 5 seconds. Memory if there is less than 20000KB.</p>
<pre>
process cpu threshold type total rising 80 interval 5
memory free low-watermark processor 20000
memory free low-watermark io 20000
</pre>
<h3>NX-OS</h3>
<p>This includes all NX-OS variants. Not all commands are supported on all models</p>
<h4>Basic logging and timestamping</h4>
<pre>
logging logfile messages 6
logging server [YOUR SYSLOG/SPLUNK SERVER IP] 6 use-vrf [YOUR MGMT VRF]
logging timestamp milliseconds
logging monitor 6
no logging rate-limit
</pre>
<h4>Enable change auditing</h4>
<p>This feature is not supported on the NX-OS platform</p>
<h4>Monitor interface changes</h4>
<h5>General</h5>
<pre>
logging message interface type ethernet description
logging event link-status default
logging event trunk-status default
</pre>
<h5>Interface level</h5>
<pre>
logging event port link-status
logging event port trunk-status
</pre>
<h4>MAC move notifications, STP logging, IP SLA logging etc.</h4>
<pre>
mac address-table notification mac-move
ntp logging
</pre>
<h4>ACL logging</h4>
<h5>General</h5>
<p>Remember to add the <b>log</b> or <b>log-input</b> keyword to your access list entries if you want to enable access list logging</p>
<h5>NX-OS ACL logging</h5>
<pre>
logging level acllog 6
acllog match-log-level 6
logging logfile messages 6
</pre>
</section>
</html>
</panel>
<panel>
<html>
<section>
<h1>Troubleshooting</h1>
</section>
<section>
<h2>Not seeing authentication results?</h2>
<p>Results from wired 802.1x (DOT1X) authentications are sent with severity "level 7 - debugging".
To correct this configure logging trap debugging on your device. Take extra precautions in actual debugging situations
as "debug all" will result in a huge increase in events forwarded to your Splunk servers.
</p>
</section>
<section>
<h2>Not seeing Route Monitoring results?</h2>
<p>In order to monitor Route Changes via Syslog, the following EEM applet must be configured on your routers:</p>
<pre>
event manager applet route-table-monitor
event routing network 0.0.0.0/0 ge 1
action 0.5 set msg "Route changed: Type: $_routing_type, Network: $_routing_network, Mask/Prefix: $_routing_mask, Protocol: $_routing_protocol, GW: $_routing_lastgateway, Intf: $_routing_lastinterface"
action 1.0 syslog msg "$msg"
</pre>
</section>
<section>
<h1>About this App</h1>
<p>This App and the Cisco Networks Add-on was created by Mikael Bjerkeland (mikael@bjerkeland.com). Commercial support is available by contacting the author.<br/>Community support is available at <a href="https://answers.splunk.com/app/questions/1352.html">Splunkbase</a>.
</p>
</section>
</html>
</panel>
</row>
</dashboard>
Reference in new issue View Git Blame Copy Permalink