There are free online courses in Splunk website and I took the Free Splunk Fundamentals course.
You can download and install a free Splunk Enterprise in order to perform the lab exercises. Go to splunk.com > click Free Splunk.
Login or create a free Splunk account.
Select Splunk Enterprise > click Download Free 60-Day Trial.
Under Windows tab > select 64-bit Windows 10 > click Download Now.
Select the check boxes for the End User License Agreement (EULA) > click Start Your Download Now.
Click Save File.
Select Check this box to accept the License Agreement > click Next.
Create an administrator account.
You can optionally create a Desktop shortcut > click Install.
Click Yes to continue (run as admin).
Click Finish.
Splunk will be launched in a web browser. Login using the account created earlier.
A pop up message will appear > click Got it to continue.
Another pop up message will appear > click Don't show me this again to continue.
This is the Splunk Enterprise home page or whenever you clicked splunk>enterprise on upper left.
Create a new user with power role under Settings > USERS AND AUTHENTICATION > Users.
Click New User.
Type the Name (username) > optional Full Name > optional Email address > Set password (type twice to Confirm password) > select Time Zone: GMT+8:00.
Click on user (on Selected item column) to remove it and then click power to move it under Selected item(s) column > uncheck Require password change on first login > click Save.
To configure Splunk Enterprise as a Syslog server and listen to UDP port 514, click Find More Apps.
Type/search: cisco
Look for Cisco Networks Add-on for Splunk Enterprise > click Install.
Login to your account > click to accept the license agreement > click Login and Install.
A restart is required > click Restart Now.
The restart process take a few minutes.
Click OK and re-login to Splunk Enterprise
Go to Settings > Data > Data inputs.
Under UDP > click Add new.
Leave UDP selected > type Port: 514 > leave the other fields blank > click Next.
Under Select Source Type > type/search: cisco> select cisco:ios > leave the other settings in default > click Review.
Review the summary settings > click Submit.
Click Start Searching.
Click Time Range: Last 15 minutes > click search (magnifying glass icon).
I initially didn't get any Syslog message, so I had permit the port/application in my personal firewall.
Click List drop-down option > select Raw.
Notice the hostnames: CSRv (192.168.1.140) and LAB-ASA5515-X (192.168.1.1) were displayed since it's explicitly configured.
You can download and install a free Splunk Enterprise in order to perform the lab exercises. Go to splunk.com > click Free Splunk.
Login or create a free Splunk account.
Select Splunk Enterprise > click Download Free 60-Day Trial.
Under Windows tab > select 64-bit Windows 10 > click Download Now.
Select the check boxes for the End User License Agreement (EULA) > click Start Your Download Now.
Click Save File.
Select Check this box to accept the License Agreement > click Next.
Create an administrator account.
You can optionally create a Desktop shortcut > click Install.
Click Yes to continue (run as admin).
Click Finish.
Splunk will be launched in a web browser. Login using the account created earlier.
A pop up message will appear > click Got it to continue.
Another pop up message will appear > click Don't show me this again to continue.
This is the Splunk Enterprise home page or whenever you clicked splunk>enterprise on upper left.
Create a new user with power role under Settings > USERS AND AUTHENTICATION > Users.
Click New User.
Type the Name (username) > optional Full Name > optional Email address > Set password (type twice to Confirm password) > select Time Zone: GMT+8:00.
Click on user (on Selected item column) to remove it and then click power to move it under Selected item(s) column > uncheck Require password change on first login > click Save.
To configure Splunk Enterprise as a Syslog server and listen to UDP port 514, click Find More Apps.
Type/search: cisco
Look for Cisco Networks Add-on for Splunk Enterprise > click Install.
Login to your account > click to accept the license agreement > click Login and Install.
A restart is required > click Restart Now.
The restart process take a few minutes.
Click OK and re-login to Splunk Enterprise
Go to Settings > Data > Data inputs.
Under UDP > click Add new.
Leave UDP selected > type Port: 514 > leave the other fields blank > click Next.
Under Select Source Type > type/search: cisco> select cisco:ios > leave the other settings in default > click Review.
Review the summary settings > click Submit.
Click Start Searching.
I configured
the Cisco devices in my lab to send Syslogs to Splunk Enterprise running on my Windows 10 machine (192.168.1.100).
CSRv#configure
terminal
Enter
configuration commands, one per line.
End with CNTL/Z.
CSRv(config)#logging
trap informational
CSRv(config)#logging
origin-id hostname
CSRv(config)#logging
host 192.168.1.100
CSRv(config)#end
CSRv#ping
192.168.1.100
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
CSRv#show
logging
Syslog logging: enabled (0 messages dropped,
2 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering
disabled)
No Active
Message Discriminator.
No
Inactive Message Discriminator.
Console logging: level debugging, 132
messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0
messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 146 messages logged, xml
disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages:
disabled
Persistent logging: disabled
No active
filter modules.
Trap logging: level informational, 141
message lines logged
Logging to 192.168.1.100 (udp port 514, audit disabled,
link up),
2 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number
disabled
filtering disabled
Logging Source-Interface: VRF Name:
Log
Buffer (4096 bytes):
Apr 26
03:16:08.106: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.100 port
0 CLI Request Triggered
Apr 26
03:16:09.106: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.100 port
514 started - CLI initiated
Apr 26
03:16:09.486: %SYS-5-CONFIG_I: Configured from console by admin on vty1
(192.168.1.100)
SW1#configure
terminal
Enter
configuration commands, one per line.
End with CNTL/Z.
SW1(config)#logging
trap informational
SW1(config)#logging
host 192.168.1.100
SW1(config)#end
SW1#ping
192.168.1.100
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
SW1#show
logging
Syslog logging: enabled (0 messages dropped,
1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering
disabled)
Console logging: level debugging, 35
messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0
messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 35
messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages:
disabled
File logging: disabled
Trap logging: level informational, 38
message lines logged
Logging
to 192.168.1.100, 1 message lines logged, xml disabled,
filtering disabled
Log
Buffer (4096 bytes):
Apr 26
03:17:29.553: %SYS-5-CONFIG_I: Configured from console by vty0 (192.168.1.100)
LAB-ASA5515x#
configure terminal
LAB-ASA5515x(config)#
logging enable
LAB-ASA5515x(config)#
logging trap informational
LAB-ASA5515x(config)#
logging device-id hostname
LAB-ASA5515x(config)#
logging host inside 192.168.1.100
LAB-ASA5515x(config)#
end
LAB-ASA5515x#
ping 192.168.1.100
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
LAB-ASA5515x#
show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: level informational, facility
20, 35180 messages logged
Logging
to inside 192.168.1.100, UDP TX:5
Global TCP syslog stats::
NOT_PUTABLE: 0, ALL_CHANNEL_DOWN: 0
CHANNEL_FLAP_CNT: 0, SYSLOG_PKT_LOSS: 0
PARTIAL_REWRITE_CNT: 0
Permit-hostdown logging: disabled
History logging: disabled
Device ID: hostname
"LAB-ASA5515x"
Mail logging: disabled
ASDM logging: disabled
Click Time Range: Last 15 minutes > click search (magnifying glass icon).
I initially didn't get any Syslog message, so I had permit the port/application in my personal firewall.
Click List drop-down option > select Raw.
Notice the hostnames: CSRv (192.168.1.140) and LAB-ASA5515-X (192.168.1.1) were displayed since it's explicitly configured.