Cisco IOS is an instance of network device log data. IOS is Cisco’s network operating system that runs mainly on their switches and routers. The IOS log data contains information about the operational state of the device and the network functions served by the device.
This data is used for troubleshooting the operations of Cisco devices running IOS. It can be used to confirm configuration settings that influence the functionality the device is expected to deliver. Examples include mismatched duplex settings, up and down state of ports, routing, and operating conditions, such as temperature and power.
When your Splunk deployment is ingesting Cisco IOS, you can use the data to achieve the following objectives:
The following sections provide information on configuring Splunk software to ingest this data source. To configure the device or software, we recommend that you leverage official Cisco resources.
If your deployment is not already ingesting Cisco IOS, follow the Getting Data In guidance for Splunk Enterprise or the Onboarding and Forwarding Your Data guidance for Splunk Cloud.
The recommended index is <user defined>.
The source type is syslog.
The supported input types are monitor or HTTP Event Collector.
In addition, you will need the Cisco Networks Add-on for Splunk Enterprise. The add-on can be downloaded here and the add-on documentation can be accessed here, as well as in the README.md file in the add-on. Read and follow the documentation carefully to understand all the essential information you need to work with this data source, including how to install the add-on, configure Cisco IOS, and configure Splunk.
The amount of data ingestion will depend on the number of devices involved and how busy a device is. Estimates at the low end are 5MB/day per device. The best way to know is to test and measure directly in Splunk or at the syslog server.
If collection is working correctly, the add-on reassigns the cisco:ios source type. Therefore, begin validation with a search for sourcetype=cisco:ios. If data is returned, further validation can be done by inspecting the fields that are extracted.