Skip to main content

Cisco: IOS

  • Updated

Cisco IOS is an instance of network device log data. IOS is Cisco’s network operating system that runs mainly on their switches and routers. The IOS log data contains information about the  operational state of the device and the network functions served by the device.  

In the Common Information Model, Cisco IOS can be mapped to any of the following data models, depending on the field: Network Traffic and Change.

Data visibility 

This data is used for troubleshooting the operations of Cisco devices running IOS. It can be used to confirm configuration settings that influence the functionality the device is expected to deliver. Examples include mismatched duplex settings, up and down state of ports, routing, and operating conditions, such as temperature and power. 

Data application

When your Splunk deployment is ingesting Cisco IOS, you can use the data to achieve the following objectives:

Configuration

The following sections provide information on configuring Splunk software to ingest this data source. To configure the device or software, we recommend that you leverage official Cisco resources.

Data ingestion

If your deployment is not already ingesting Cisco IOS, follow the Getting Data In guidance for Splunk Enterprise or the Onboarding and Forwarding Your Data guidance for Splunk Cloud.

The recommended index is <user defined>

The source type is syslog

The supported input types are monitor or HTTP Event Collector.

In addition, you will need the Cisco Networks Add-on for Splunk Enterprise. The add-on can be downloaded here and the add-on documentation can be accessed here, as well as in the README.md file in the add-on. Read and follow the documentation carefully to understand all the essential information you need to work with this data source, including how to install the add-on, configure Cisco IOS, and configure Splunk. 

Sizing estimate

The amount of data ingestion will depend on the number of devices involved and how busy a device is. Estimates at the low end are 5MB/day per device. The best way to know is to test and measure directly in Splunk or at the syslog server.  

Validation

If collection is working correctly, the add-on reassigns the cisco:ios source type. Therefore, begin validation with a search for sourcetype=cisco:ios. If data is returned, further validation can be done by inspecting the fields that are extracted. 

Related articles

Comments

0 comments

Please sign in to leave a comment.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.