Friday, May 1, 2020

Configuring Splunk Enterprise for Cisco Networks Add-on (Syslog)

There are free online courses in Splunk website and I took the Free Splunk Fundamentals course.


You can download and install a free Splunk Enterprise in order to perform the lab exercises. Go to splunk.com > click Free Splunk.


Login or create a free Splunk account.


Select Splunk Enterprise > click Download Free 60-Day Trial.


Under Windows tab > select 64-bit Windows 10 > click Download Now.


Select the check boxes for the End User License Agreement (EULA) > click Start Your Download Now.


Click Save File.


Select Check this box to accept the License Agreement > click Next.


Create an administrator account.


You can optionally create a Desktop shortcut > click Install.


Click Yes to continue (run as admin).


Click Finish.


Splunk will be launched in a web browser. Login using the account created earlier.


A pop up message will appear > click Got it to continue.


Another pop up message will appear > click Don't show me this again to continue.


This is the Splunk Enterprise home page or whenever you clicked splunk>enterprise on upper left.


Create a new user with power role under Settings > USERS AND AUTHENTICATION > Users.


Click New User.


Type the Name (username) > optional Full Name > optional Email address > Set password (type twice to Confirm password) > select Time Zone: GMT+8:00.


Click on user (on Selected item column) to remove it and then click power to move it under Selected item(s) column > uncheck Require password change on first login > click Save.



To configure Splunk Enterprise as a Syslog server and listen to UDP port 514, click Find More Apps.


Type/search: cisco


Look for Cisco Networks Add-on for Splunk Enterprise > click Install.


Login to your account > click to accept the license agreement > click Login and Install.


A restart is required > click Restart Now.


The restart process take a few minutes.


Click OK and re-login to Splunk Enterprise


Go to Settings > Data > Data inputs.


Under UDP > click Add new.



Leave UDP selected > type Port: 514 > leave the other fields blank > click Next.


Under Select Source Type > type/search: cisco> select cisco:ios > leave the other settings in default > click Review.



Review the summary settings > click Submit.


Click Start Searching.


I configured the Cisco devices in my lab to send Syslogs to Splunk Enterprise running on my Windows 10 machine (192.168.1.100).


CSRv#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
CSRv(config)#logging trap informational
CSRv(config)#logging origin-id hostname
CSRv(config)#logging host 192.168.1.100
CSRv(config)#end

CSRv#ping 192.168.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

CSRv#show logging
Syslog logging: enabled (0 messages dropped, 2 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

    Console logging: level debugging, 132 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 146 messages logged, xml disabled,
                    filtering disabled
    Exception Logging: size (4096 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled

No active filter modules.

    Trap logging: level informational, 141 message lines logged
        Logging to 192.168.1.100  (udp port 514, audit disabled,
              link up),
              2 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled
        Logging Source-Interface:       VRF Name:

Log Buffer (4096 bytes):

Apr 26 03:16:08.106: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.100 port 0 CLI Request Triggered
Apr 26 03:16:09.106: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.100 port 514 started - CLI initiated
Apr 26 03:16:09.486: %SYS-5-CONFIG_I: Configured from console by admin on vty1 (192.168.1.100)


SW1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#logging trap informational
SW1(config)#logging host 192.168.1.100
SW1(config)#end

SW1#ping 192.168.1.100

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

SW1#show logging
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
    Console logging: level debugging, 35 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level debugging, 35 messages logged, xml disabled,
                    filtering disabled
    Exception Logging: size (4096 bytes)
    Count and timestamp logging messages: disabled
    File logging: disabled
    Trap logging: level informational, 38 message lines logged
        Logging to 192.168.1.100, 1 message lines logged, xml disabled,
               filtering disabled
         
Log Buffer (4096 bytes):

Apr 26 03:17:29.553: %SYS-5-CONFIG_I: Configured from console by vty0 (192.168.1.100)


LAB-ASA5515x# configure terminal
LAB-ASA5515x(config)# logging enable
LAB-ASA5515x(config)# logging trap informational
LAB-ASA5515x(config)# logging device-id hostname
LAB-ASA5515x(config)# logging host inside 192.168.1.100
LAB-ASA5515x(config)# end

LAB-ASA5515x# ping 192.168.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

LAB-ASA5515x# show logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Hide Username logging: enabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: disabled
    Trap logging: level informational, facility 20, 35180 messages logged
        Logging to inside 192.168.1.100, UDP TX:5
    Global TCP syslog stats::
        NOT_PUTABLE: 0, ALL_CHANNEL_DOWN: 0
        CHANNEL_FLAP_CNT: 0, SYSLOG_PKT_LOSS: 0
        PARTIAL_REWRITE_CNT: 0
    Permit-hostdown logging: disabled
    History logging: disabled
    Device ID: hostname "LAB-ASA5515x"
    Mail logging: disabled
    ASDM logging: disabled


Click Time Range: Last 15 minutes > click search (magnifying glass icon).


I initially didn't get any Syslog message, so I had permit the port/application in my personal firewall.


Click List drop-down option > select Raw.


Notice the hostnames: CSRv (192.168.1.140) and LAB-ASA5515-X (192.168.1.1) were displayed since it's explicitly configured.