GithubHelp home page GithubHelp logo

ta-cisco_ios's Introduction

Cisco Networks Add-on

GitHub contributors

Table of Contents

OVERVIEW

  • About the Cisco Networks Add-on
  • Release notes
  • Support and resources

INSTALLATION AND CONFIGURATION

  • Hardware and software requirements
  • Installation steps
  • Deploy to single server instance
  • Deploy to distributed deployment
  • Deploy to distributed deployment with Search Head Pooling
  • Deploy to distributed deployment with Search Head Clustering
  • Deploy to Splunk Cloud
  • Configure Cisco Networks Add-on

USER GUIDE

  • Data types
  • Lookups

OVERVIEW

About the Cisco Networks Add-on

Author Mikael Bjerkeland
App Version 2.7.4
Vendor Products Cisco Catalyst, ASR, ISR, Nexus, CRS and other IOS based switches, Wireless LAN Controller, ACI
Has index-time operations True
Create an index False
Implements summarization False

The Cisco Networks Add-on allows a Splunk® Enterprise administrator to extract and filter event information from Cisco IOS and WLC devices. The app sets the correct sourcetype and adds fields required for CIM compliance, and must be installed in order for the Cisco Networks App to work.

Scripts and binaries

No scripts or binaries are included.

Release notes

About this release

Version 2.7.4 of the Cisco Networks Add-on is compatible with:

Splunk Enterprise/Cloud versions 9.0+, 8.2, 8.1
CIM 4.*
Platforms Platform independent
Vendor Products Cisco Catalyst, ASR, ISR, Nexus, CRS and other IOS based switches, Wireless LAN Controller, ACI
Lookup file changes Added cisco_ios_aci_fault_codes, Removed cisco_ios_apptype
New features

Cisco Networks Add-on includes the following new features:

  • Added extractions for some of the %SESSION_MGR messages
  • Added GigabitEthernet,FastEthernet and Ethernet to the interface name lookup
  • Added samples of %SESSION_MGR for eventgen
Fixed issues

Version 2.7.4 of the Cisco Networks Add-on fixes the following issues:

  • None known
Known issues

Version 2.7.4 of the Cisco Networks Add-on has the following known issues:

  • None known
Third-party software attributions

Version 2.7.4 of the Cisco Networks Add-on incorporates the following third-party software or libraries.

Support and resources

**This app is community supported on a best effort basis. In case you have needs for professional support billed by the hour, please contact the author.

INSTALLATION AND CONFIGURATION

Hardware and software requirements

Hardware requirements

Cisco Networks Add-On supports the following server platforms in the versions supported by Splunk Enterprise:

  • Windows 7, 8, and 8.1 (64-bit)
  • Windows Server 2008, 2008 R2, 2012 and 2012 R2 (64-bit)
  • Windows 7, and 8 and 8.1 (32-bit)
  • Windows Server 2008 (32-bit)
  • 2.6+ kernel Linux distributions (64-bit)
  • 2.6+ kernel Linux distributions (32-bit)
  • Solaris 10, 11 (64-bit)
  • Solaris 10, 11 (SPARC)
  • OSX 10.8 (Intel)
  • OSX 10.9 (Intel)
  • OSX 10.10 (Intel)
  • FreeBSD 8, and 9 (64-bit)
  • AIX 6.1, 7.1

Software requirements

To function properly, Cisco Networks Add-on requires the following software:

  • Optional: Cisco Networks App, 2.7.1 or higher (for dashboards etc)

Splunk Enterprise system requirements

Because this add-on runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.

Download

Download the Cisco Networks Add-on at https://apps.splunk.com/app/1467/.

Installation steps

To install and configure this app on your supported platform, follow these steps:

  1. In your Splunk Enterprise web interface, click on App(s) -> Manage Apps
  2. Click on Install app from file
  3. Select the file you downloaded, Click Upload, optionally selecting Upgrade app if you are upgrading from an earlier version. Restart Splunk if required
Deploy to single server instance

Follow these steps to install the app in a single server instance of Splunk Enterprise:

  1. In your Splunk Enterprise web interface, click on App(s) -> Manage Apps
  2. Click on Install app from file
  3. Select the file you downloaded, Click Upload, optionally selecting Upgrade app if you are upgrading from an earlier version. Restart Splunk if required
Deploy to distributed deployment

Install to search head

  1. In your Splunk Enterprise web interface, click on App(s) -> Manage Apps
  2. Click on Install app from file
  3. Select the file you downloaded, Click Upload, optionally selecting Upgrade app if you are upgrading from an earlier version. Restart Splunk if required

Install to indexers

  1. In your Splunk Enterprise web interface, click on App(s) -> Manage Apps
  2. Click on Install app from file
  3. Select the file you downloaded, Click Upload, optionally selecting Upgrade app if you are upgrading from an earlier version. Restart Splunk if required

Install to forwarders

This add-on should not be installed on forwarders unless you are monitoring your logs using the Heavy Forwarder. In that case, install this add-on on your Heavy Forwarder in addition to your indexers and search heads

Deploy to distributed deployment with Search Head Pooling

Follow the same steps as Install to search head.

Deploy to distributed deployment with Search Head Clustering

Follow the same steps as Install to search head.

Deploy to Splunk Cloud

Follow the same steps as Install to search head.

Configure Cisco Networks Add-on

  1. Install in $SPLUNK_HOME/etc/apps/TA-cisco_ios

  2. Create a UDP input on one of your Splunk servers or a forwarder with sourcetype set to syslog or cisco:ios. A regex match will be performed to rewrite the events to the cisco:ios sourcetype.

  3. Configure your Cisco devices to send their syslogs to the UDP input created in step 2 with logging level informational.

  4. Restart Splunk

USER GUIDE

Data types

This app provides search-time knowledge for the following types of data from Cisco IOS variants, NX-OS and WLC:

Search-time

  • cisco:ios - Syslog events from your devices

These data types support the following Common Information Model data models:

Source Type CIM Data Models
cisco:ios Change Analysis
Authentication
Network Traffic

Lookups

The Cisco Networks Add-on contains 6 lookup files.

cisco_ios_acl_excluded_ips.csv

Provides a way to filter local IP addresses from ACL logs.

  • File location: lookups/cisco_ios_acl_excluded_ips.csv
  • Lookup fields: src_ip
  • Lookup contents: See the file contents

cisco_ios_actions.csv

Maps a vendor action to a CIM compliant action.

  • File location: lookups/cisco_ios_actions.csv
  • Lookup fields: vendor_action, action
  • Lookup contents: See the file contents

cisco_ios_icmp_code.csv

Provides ICMP code lookups for ACL events. Needed for CIM compliance

  • File location: lookups/cisco_ios_icmp_code.csv
  • Lookup fields: icmp_code_id, icmp_code, reference
  • Lookup contents: See the file contents

cisco_ios_interface_name.csv

Normalizes interface names in case an event includes the short form interface name, i.e. Gi0/2 instead of GigabitEthernet0/2.

  • File location: lookups/cisco_ios_interface_name.csv
  • Lookup fields: int_prefix, int_prefix_long
  • Lookup contents: See the file contents

cisco_ios_severity.csv

Maps a Cisco severity level to a Splunk compatible CIM severity level as well as mapping severity number identifiers to textual identifiers including descriptions.

  • File location: lookups/cisco_ios_severity.csv
  • Lookup fields: severity_id, severity, severity_name, severity_id_and_name, severity_description
  • Lookup contents: See the file contents

cisco_ios_aci_fault_codes.csv

ACI fault codes

  • File location: lookups/cisco_ios_aci_fault_codes.csv
  • Lookup fields: fault_code, vendor_explanation, vendor_recommended_action
  • Lookup contents: See the file contents

ta-cisco_ios's People

Contributors

inspired avatar jgedeon120 avatar lowell80 avatar m4dc0w avatar mrendo avatar nlamirault avatar seismiccollision avatar vincentdelaunay avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

seismiccollision m4dc0w jgedeon120 vincentdelaunay kintyre alssharma splunk-app-and-ta-development eric54205420 mrendo

ta-cisco_ios's Issues

TRUSTSEC stuff

  1. Nexus:
    • cts role-based counters enable
    • %$ VDC-1 %$ %CTS-6-CTS_RBACL_STAT_LOG: CTS ACE permit all log, Threshold exceeded: Hit count in 10s period = 4
  2. CXK:
    • *Jun 2 08:58:06.489: %C4K_IOSINTF-6-SGACLHIT: list deny_udp_src_port_log-30 Denied udp 24.0.0.23(100) -> 28.0.0.91(100), SGT8 DGT 12
    • cts sxp log binding-changes ! Turns on logging for IP to SGT binding changes.
    • epm logging

src_interface Field Alias Not Working

Using version 2.5.4 of app and TA on Splunk 7.2.0 distributed deployment.

I've found src_interface field alias is not being populated from src_int.

props.conf
FIELDALIAS-cisco_ios-interface = src_int AS src_interface, dest_int AS dest_interface, interface AS dest_interface, cdp_local_interface AS src_interface, cdp_remote_interface AS dest_interface

Search query from port flapping dashboard widget
eventtype="cisco_ios-port_down" OR eventtype="cisco_ios-port_up" product IN (IOS) index IN (*) | stats count, latest(port_status) AS port_status, latest(src_interface_description) AS description BY host,src_interface | sort -count | table host,src_interface,port_status,description,count

Also, I've noticed the vendor_message_text field is not being populated either.

Search query from diagnostics dashboard widget:
eventtype="cisco_ios-diag" product IN (IOS) index IN (*) | eval eventcode=facility + "-" + severity_id + "-" + mnemonic | stats count AS Count, latest(_time) AS _time, latest(severity_id) AS severity_id by host, eventcode, vendor_message_text | lookup cisco_ios_severity severity_id | sort +severity_id,-Count | table _time, host, eventcode, vendor_message_text, severity_id_and_name, Count

DoD, WoW, MoM, YoY comparisons

Add possibility to compare i.e. mnemonics over time:

| tstats summariesonly=t count from datamodel=Cisco_IOS_Event WHERE earliest=-2w@w latest=@w groupby Cisco_IOS_Event.mnemonic _time | eval marker=if (_time<relative_time(now(),"-w@w"), "last week","this week") | rename Cisco_IOS_Event.mnemonic AS mnemonic | chart sum(count) OVER mnemonic by marker | lookup cisco_ios_messages mnemonic OUTPUT severity_id | fillnull value="0" "this week" "last week" | eval diffPercent = ('last week' - 'this week') / abs('last week') * if('this week' != "0", 100, 0) | fillnull value="FIRST SEEN IN LATEST PERIOD" diffPercent | table mnemonic "last week" "this week" severity_id diffPercent

Add delta/percentage change field (borrow from ES SA-Utils?). The one above is off

SEC_LOGIN events do not map correctly

SEC_LOGIN events do not map correctly, showing as the timezone of the device, such as EDT. Appears to be caused when also using the Cisco Security Suite app on the same Splunk indexer.

Potential conflict on the props or transform files?

BGP logs not properly parsed

Hello,
I noticed that BGP logs from NX-OS are not properly parsed.
I have added this REGEX in props.conf to match these events:

EXTRACT-cisco_nxos-BGP-5-ADJCHANGE = ADJCHANGE(\s)?:\s+bgp-(?<as_number>\d+)\s\[(?<process_id>\d+)\]\s(\((?<vrf>\S+)\)\s)?neighbor\s(?<neighbor>\S+)\s(?<state_to>Up|Down)(\s(-\s)?(?<reason>.+))?

TODO

  1. %IOS_RESILIENCE-5-NON_CONSOLE_ACCESS: Non console configuration request denied for command "no secure boot-config "
    • Add to diag eventtype
  2. Facility PIXM doesn't match because of PIX exclusion. We only want to exclude PIX, not PIXM.
  3. TRUSTSEC stuff:
    Nexus:
    cts role-based counters enable
    • %$ VDC-1 %$ %CTS-6-CTS_RBACL_STAT_LOG: CTS ACE permit all log, Threshold exceeded: Hit count in 10s period = 4

CXK:

  • *Jun 2 08:58:06.489: %C4K_IOSINTF-6-SGACLHIT: list deny_udp_src_port_log-30 Denied udp 24.0.0.23(100) -> 28.0.0.91(100), SGT8 DGT 12
  • cts sxp log binding-changes ! Turns on logging for IP to SGT binding changes.
  • epm logging

ACL field extractions not working properly

Splunk 7.2.0 and TA-cisco_ios 2.5.4 on single instance.

When querying acl data it doesn't properly extract src_ip, src_port, dest_ip, dest_port

Tried the field extraction for acl in transforms.conf against the supplied sample data at https://regexr.com and it's seems to get lost after processing the first statements up until src_ip.

Cisco XE devices not being extracted.

Changing the following in props.conf for cisco:ios

REPORT-cisco_ios-general = extract_cisco_ios-general, extract_cisco_ios-general-xr, extract_cisco_ios-general-xe, extract_cisco_ios-general-wlc, extract_cisco_ios-general-rfc5424

Then adding to transforms.conf:
[extract_cisco_ios-general-xe]
REGEX = ((?<reported_hostname>\S+)\s)?(?<event_id>\d+):\s(?<event_id2>\d+):\s(?<reliable_time>[.*])?(?<device_time>.+):\s%(?IOSXE)-6-(?PLATFORM):(?<proccess_name>\S+): QFP:(?\d+.\d+) Thread:(?\d+) TS:(?\d+) %(?[A-Z0-9_]+)-((?[A-Z0-2_](-?[A-Z][^-]))-?)?(?<severity_id>[0-7])-(?[A-Z0-9]+):\s(?<message_text>.+)

Basic field extractions are being done as expected. Deeper extractions still need to be done.

Trigger Alerts CIM on DHCP SNOOPING, IP_SOURCE_GUARD and ARP Inspection

When we get these, evaluate if we should trigger an Alert

%DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT (x1): [char] drop message
on untrusted port message type: [char] MAC sa: [mac-addr]

Explanation: The DHCP snooping feature discovered certain types of DHCP messages
not allowed on the untrusted interface, indicating some host may be trying to act
as a DHCP server. The packet will be dropped.

Recommended Action: This is an informational message only. No action is required.

Also for:

"IP_SOURCE_GUARD","4","DENY_INVALID_PACKET","Detected and dropped illegal traffic on port [char] and vlan [dec] the non-cumulative packet dropped count is [dec].","IP Source Guard only permits traffic wi

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.