How to configure SPLUNK for Cisco logging?

SPLUNK is really handy when it comes to analyzing logs of your network devices all in one place. Let’s start with setting up SPLUNK on an UBUNTU 16.04 server.

We will be installing the free version (version 7.2.1) for this tutorial. It allows for 500MB of log indexing daily. If you want to compare it with other versions then here is the link. https://www.splunk.com/en_us/software/features-comparison-chart.html

Step 1: Install splunk.

Go to your preferred download directory and download the free software.

ubuntu@splunk:/tmp$ wget https://download.splunk.com/products/splunk/releases/7.2.1/linux/splunk-7.2.1-be11b2c46e23-linux-2.6-amd64.deb

After downloading install it.

ubuntu@splunk:/tmp$ sudo dpkg -i splunk-7.2.1-be11b2c46e23-linux-2.6-amd64.deb

During installation it will ask to create a username and password. Note it down as it will be used to login to the splunk GUI

Start the service.

sudo service splunk start

Now access the login page and enter the username/password you created earlier. By default splunk uses port 8000 and http

http://<server-IP-ADDRESS>:8000

STEP 2: Configure SPLUNK for Cisco Logs

First you need to configure a DATA INPUT. You will find that in the settings tab.

Since we will only be receiving from a Cisco device so we choose LOCAL inputs. Let chose TCP(for reliability) and port 514

Select the source type: enter syslog in filter and select it.

For Host setting I prefer IP. Reason is that DNS names can be awfully long which makes searching for hosts using DNS names difficult.

Click on Review, verify the settings and click Submit. That’s it.

STEP 3: Configure your Cisco devices to send logs to the splunk server IP address.R

Router# logging host <server-IP-address> transport tcp port 514 audit sequence-num-session
Router#logging trap informational

Now you should start receiving logs in splunk. You can find your logs in Search & Reporting on your splunk home page.

You can also search hosts in the search bar by using the filter:

host=”192.168.1.10″