Cisco Logs in Splunk - Basics

I would like to share with you something so basic that I find valuable when it comes to finding traffic flows in the Logs generated by a Cisco device logging into a Splunk server.

Something basic to understand is that the query that has to be executed in the "Search" sector must be of the following form "index=" There we must enter what type of device we are going to consult in my case cisco (index =cisco) then the host, this is where you should put the hostname as it is known in the logs.

Example: host="ARBUE-FPR-01"

When you do not have the complete hostname information, you can enter a partial name

host="ARBUE-*"

Once this is found, you can complete more information about the query to be carried out within the Splunk search field.

index=cisco host="ARBUE-FPR-01" sourcetype="cisco:ftd"

Now we can see in a little more detail all the information that Splunk brings us, becoming more and more specific in the query to be carried out. If you can see on the Left there is a Greater Sign Than ">" we choose 1 rule to see the information and observe the following:

Now we can with this information provided, it will allow us to be more accurate in the information to search in the logs.

index=cisco host="ARBUE-FPR-01" sourcetype="cisco:ftd" ip="192.168.198.12" dip="192.168.111.26" dport="8083"

And now if we manage to find the specific information of source IP address, destination IP address, and destination port.

To keep in mind, depending on the devices, sometimes the data in the events section can be displayed in another way, so it may be that src="xxx.xxx.xxx.xxx" or src_ip="xxx" is used for the Source Address. .xxx.xxx.xxx" That is why it is important to display the information > about the log event to discover how to use the changes in source ip and destination ip as port.

If you like it or help you in some way.

Please "Like, Comment & Share" ????????????????

Gracias!. Thank you! Dhanyavad! Tak.