Post

Splunk Enterprise

Posted
By Sena Perdiana 1 min read

Cisco Splunk Enterprise is a data analytics platform that collects, analyzes, and visualizes machine data, including logs from various network devices. It works with syslog by ingesting log data from routers, switches, firewalls, and other products, helping with security monitoring, network performance analysis, and troubleshooting.

To display data in Splunk, we can install various apps (like Cisco Security Suite or Cisco eStreamer for Firepower) from Splunkbase. These apps provide dashboards, reports, and alerts, making it easier to analyze syslog data, detect anomalies, and gain insights into network health and security.

Installing Splunk

First download the Splunk Enterprise installer, in this case we’re choosing the .rpm linux installer because we’re installing it on RHEL

x


On the RHEL machine, run “dnf install” to install the package

x


After it finishes, the installation path can be found on /opt/splunk, start the service by invoking “./opt/splunk/bin/splunk start”

x


Create credentials to access the GUI later on

x


That should do it, now Splunk is up port 8000. Dont forget to open the RHEL firewall to allow connections to the said port

x

1
2

firewall-cmd --permanent --add-port=8000/tcp
firewall-cmd --reload


Make sure the ports for Web GUI and for syslog are open

x

1

firewall-cmd --list-ports


The GUI should be accessibl on port 8000

x

x


Adding Apps

To ingest syslog from ASA devices, we need to install the Add-on and the App

x


Adding Data Inputs

On Settings » Data Inputs, select Add New on UDP

x


Configure the UDP Syslog receiver to receive data from the ASA device

x


Set Source type to cisco:asa

x


Review and submit

x


Sending Syslog

On the ASA Device, configure it to send syslog messages to Splunk

x


Processing the Data in Splunk

On Search, we can see the logs from ASA starts coming in to Splunk

x


On the App, we can now create a Dashboard using this syslog data

x


For example here, if we want to watch closely syslog about vpn users connecting

x


Or to watch connection traffic by seeing its ACL logs

x


We can also use other pre-build apps available to download from Splunkbase

x


Monitoring Tools, Splunk
Splunk
This post is licensed under CC BY 4.0 by the author.