SPLUNK is really handy when it comes to analyzing logs of your network devices all in one place. Let’s start with setting up SPLUNK on an UBUNTU 16.04 server.
We will be installing the free version (version 7.2.1) for this tutorial. It allows for 500MB of log indexing daily. If you want to compare it with other versions then here is the link. https://www.splunk.com/en_us/software/features-comparison-chart.html
Step 1: Install splunk.
Go to your preferred download directory and download the free software.
ubuntu@splunk:/tmp$ wget https://download.splunk.com/products/splunk/releases/7.2.1/linux/splunk-7.2.1-be11b2c46e23-linux-2.6-amd64.deb
After downloading install it.
ubuntu@splunk:/tmp$ sudo dpkg -i splunk-7.2.1-be11b2c46e23-linux-2.6-amd64.deb
During installation it will ask to create a username and password. Note it down as it will be used to login to the splunk GUI
Start the service.
sudo service splunk start
Now access the login page and enter the username/password you created earlier. By default splunk uses port 8000 and http
STEP 2: Configure SPLUNK for Cisco Logs
First you need to configure a DATA INPUT. You will find that in the settings tab.
Since we will only be receiving from a Cisco device so we choose LOCAL inputs. Let chose TCP(for reliability) and port 514
Select the source type: enter syslog in filter and select it.
For Host setting I prefer IP. Reason is that DNS names can be awfully long which makes searching for hosts using DNS names difficult.
Click on Review, verify the settings and click Submit. That’s it.
STEP 3: Configure your Cisco devices to send logs to the splunk server IP address.R
Router# logging host <server-IP-address> transport tcp port 514 audit sequence-num-session
Router#logging trap informational
Now you should start receiving logs in splunk. You can find your logs in Search & Reporting on your splunk home page.
You can also search hosts in the search bar by using the filter: