Splunk SIEM Partner Guide
February 2012 Series
PrefaceFebruary 2012 Series
Preface
Who Should Read This GuideThis Cisco® Smart Business Architecture (SBA) guide is for people who fill a variety of roles:
• Systemsengineerswhoneedstandardproceduresforimplementingsolutions
• ProjectmanagerswhocreatestatementsofworkforCiscoSBAimplementations
• Salespartnerswhosellnewtechnologyorwhocreateimplementationdocumentation
• Trainerswhoneedmaterialforclassroominstructionoron-the-jobtraining
In general, you can also use Cisco SBA guides to improve consistency among engineers and deployments, as well as to improve scoping and costingofdeploymentjobs.
Release SeriesCiscostrivestoupdateandenhanceSBAguidesonaregularbasis.Aswedevelop a new series of SBA guides, we test them together, as a complete system.ToensurethemutualcompatibilityofdesignsinCiscoSBAguides,youshoulduseguidesthatbelongtothesameseries.
All Cisco SBA guides include the series name on the cover and at the bottomleftofeachpage.Wenametheseriesforthemonthandyearthatwerelease them, as follows:
month year Series
For example, the series of guides that we released in August 2011 are the“August2011Series”.
You can find the most recent series of SBA guides at the following sites:
Customer access: http://www.cisco.com/go/sba
Partner access: http://www.cisco.com/go/sbachannel
How to Read CommandsMany Cisco SBA guides provide specific details about how to configure CisconetworkdevicesthatrunCiscoIOS,CiscoNX-OS,orotheroperatingsystemsthatyouconfigureatacommand-lineinterface(CLI).Thissectiondescribestheconventionsusedtospecifycommandsthatyoumustenter.
CommandstoenterataCLIappearasfollows:
configure terminal
Commands that specify a value for a variable appear as follows:
ntp server 10.10.48.17
Commands with variables that you must define appear as follows:
class-map [highest class name]
Commands shown in an interactive example, such as a script or when the command prompt is included, appear as follows:
Router# enable
Longcommandsthatlinewrapareunderlined.Enterthemasonecommand:
wrr-queue random-detect max-threshold 1 100 100 100 100 100 100 100 100
Noteworthy parts of system output or device configuration files appear highlighted, as follows:
interface Vlan64 ip address 10.5.204.5 255.255.255.0
Comments and QuestionsIf you would like to comment on a guide or ask questions, please use the forum at the bottom of one of the following sites:
Customer access: http://www.cisco.com/go/sba
Partner access: http://www.cisco.com/go/sbachannel
An RSS feed is available if you would like to be notified when new comments areposted.
Table of ContentsFebruary 2012 Series
ALLDESIGNS,SPECIFICATIONS,STATEMENTS,INFORMATION,ANDRECOMMENDATIONS(COLLECTIVELY,"DESIGNS")INTHISMANUALAREPRESENTED"ASIS,"WITHALLFAULTS.CISCOANDITSSUPPLIERSDISCLAIMALLWARRANTIES,INCLUDING,WITHOUTLIMITATION,THEWARRANTYOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEANDNONINFRINGEMENTORARISINGFROMACOURSEOFDEALING,USAGE,ORTRADEPRACTICE.INNOEVENTSHALLCISCOORITSSUPPLIERSBELIABLEFORANYINDIRECT,SPECIAL,CONSEQUENTIAL,ORINCIDENTALDAMAGES,INCLUDING,WITHOUTLIMITA-TION,LOSTPROFITSORLOSSORDAMAGETODATAARISINGOUTOFTHEUSEORINABILITYTOUSETHEDESIGNS,EVENIFCISCOORITSSUPPLIERSHAVEBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.THEDESIGNSARESUBJECTTOCHANGEWITHOUTNOTICE.USERSARESOLELYRESPONSIBLEFORTHEIRAPPLICATIONOFTHEDESIGNS.THEDESIGNSDONOTCONSTITUTETHETECHNICALOROTHERPROFESSIONALADVICEOFCISCO,ITSSUPPLIERSORPARTNERS.USERSSHOULDCONSULTTHEIROWNTECHNICALADVISORSBEFOREIMPLEMENTINGTHEDESIGNS.RESULTSMAYVARYDEPENDINGONFACTORSNOTTESTEDBYCISCO.
AnyInternetProtocol(IP)addressesusedinthisdocumentarenotintendedtobeactualaddresses.Anyexamples,commanddisplayoutput,andfiguresincludedinthedocumentareshownforillustrativepurposesonly.AnyuseofactualIPaddressesinillustrativecontentisunintentionalandcoincidental.CiscoUnifiedCommunicationsSRND(BasedonCiscoUnifiedCommunicationsManager7.x)
©2012CiscoSystems,Inc.Allrightsreserved.
Table of Contents
What’s In This SBA Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1Route to Success. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Cisco SBA Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2WhatisSplunk?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Business Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Security Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
IT Operations Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Technology Partner Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5SolutionHighlights. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Deployment Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9SplunkandtheCiscoApplicationsandAdd-Ons. . . . . . . . . . . . . . . . . . . . . . . 9
Setting up Splunk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Receiving syslog from Cisco Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
ReceivingIPSEventsUsingSDEE...................................... 10
ReceivingLogsfromaCiscoWSA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Receiving Raw Events from Cisco Security MARS . . . . . . . . . . . . . . . . . . . . . 13
ReceivingLogsfromaCiscoIronPortEmailSecurityAppliance. . . . . . . 14
Understanding Additional Splunk for Cisco Security Content: Landing Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
BotNet Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Global Threat Correlation Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
MaintainingandUpdatingSplunkforCiscoAppsandAdd-ons. . . . . . . . 15
Products Verified with Cisco SBA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
1What’sInThisSBAGuideFebruary 2012 Series
What’sInThisSBAGuide
About SBACiscoSBAhelpsyoudesignandquicklydeployafull-servicebusinessnetwork.ACiscoSBAdeploymentisprescriptive,out-of-the-box,scalable,andflexible.
CiscoSBAincorporatesLAN,WAN,wireless,security,datacenter,applicationoptimization, and unified communication technologies—tested together as a completesystem.Thiscomponent-levelapproachsimplifiessystemintegrationof multiple technologies, allowing you to select solutions that solve your organization’sproblems—withoutworryingaboutthetechnicalcomplexity.
For more information, see the How to Get Started with Cisco SBA document: http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/SBA_Getting_Started.pdf
About This GuideThis additional deployment guide includes the following sections:
• Business Overview—Thechallengethatyourorganizationfaces.Business decision makers can use this section to understand the rel-evanceofthesolutiontotheirorganizations’operations.
• Technology Overview—HowCiscosolvesthechallenge.Technicaldecision makers can use this section to understand how the solution works.
• Deployment Details—Step-by-stepinstructionsforimplementingthesolution.Systemsengineerscanusethissectiontogetthesolutionupandrunningquicklyandreliably.
This guide presumes that you have read the prerequisites guides, as shown ontheRoutetoSuccessbelow.
Design Overview Internet EdgeDeployment Guide
Cisco SIEMDeployment Guide
Splunk SIEMPartner Guide
ENT BN
You are HerePrerequisite Guides
Route to SuccessTo ensure your success when implementing the designs in this guide, you should read any guides that this guide depends upon—shown to the left ofthisguideontherouteabove.Anyguidesthatdependuponthisguideareshowntotherightofthisguide.
For customer access to all guides: http://www.cisco.com/go/sba For partner access: http://www.cisco.com/go/sbachannel
2Cisco SBA OverviewFebruary 2012 Series Cisco SBA Overview
Cisco SBA Overview
Cisco Smart Business Architecture (SBA)—Borderless Networks (BN) for Enterprise Organizations offers partners and customers valuable network design and deployment best practices; helping organizations deliver superiorend-userexperiencethatincludeswitching,routing,securityandwireless technologies combined with the comprehensive management capabilitiesfortheentiresystem.Customerscanusetheguidanceprovidedin the architecture and deployment guiudes to maximize the value of their Cisconetworkinasimple,fast,affordable,scalableandflexiblemanner.
Figure 1 - Splunk Integrated into Cisco SBA—BN for Enterprise Organizations
The modular design of the architecture means that technologies can be addedwhentheorganizationisreadytodeploythem.ThearchitecturealsoprovidesCisco-testedconfigurationsandtopologieswhichCCNA-levelengineers can use for design and installation, and to support organizational needs
Cisco offers a number of options to provide security management capabili-ties.ThisguideisfocusedonourpartnershipwithSplunktoprovideanaffordable,easy-to-usesecuritymanagementsolution.
3Cisco SBA OverviewFebruary 2012 Series
What is Splunk?Splunk is software that provides a unique view across your entire IT infra-structurefromoneplaceandinrealtime.Splunkenablesyoutosearch,report, monitor and analyze streaming and historical data from any source, andspeedsinvestigationofsecurityincidents.Criticalsystemscanbemonitored to avoid service degradation or outages and compliance is deliv-eredatlowercost.NewbusinessinsightsaregleanedfromyourITdata.
Splunkcanindexanytime-stampedASCIItextwithnoneofthetypicaldevice support and new version restrictions seen from other products that acceptlogdata.IfnewversionsofCiscodatasourcesarereleased,Splunkmakesthedatasourcesavailabletoyouindexedandreadyforuse.Youchoosewhenandwheretousethenewdata.Splunkalsoacceptsmulti-lineapplicationdatawithouttheneedfortranslatorsorconnectors.
Figure 2 - Splunk for Cisco Security Real-Time Dashboard
Business BenefitsSplunk helps its customers make better business decisions by taking machine generated data and applying a forensics and analytics approach to securityandeventmanagementaswellasIToperationsmanagement.
• Anytime-stampedASCIItextmachinegenerateddatacanbeindexedwithSplunk,includingcustomapplicationlogs.
• Splunk ’ssearchlanguageincludesanalyticalcommandsusedtocreatetables,counts,charts,andotherobjectsthathelpmakedatacompelling.
• Timechartsandothergraphicaltrendingelementsusedindashboardsthat can provide executives with a risk management picture customized toyourdataandyourbusinessrequirements.
• Splunkbaseprovidesappsandadd-onstoimprovetheuserexperienceandprovideout-of-the-boxsolutionstousecases.
• SplunkbreaksdownbarriersbetweentheIToperationsandsecurityteams,resultinginfasterproblemresolution.
• Securityandapplicationdatacanbeviewedincontext,anddatatrendsexamined, so that key performance indicators (KPIs) can be established andoutliersidentified.
Security BenefitsSplunksupportsaforensicsapproachtosecurityeventmanagement.LookingforpatternsinlogdatafromCiscosecuritydevicesandviewingthemincontextofotherlogdataprovidesacomprehensiveviewofwhat’shappeninginyourITarchitecture.UsingSplunk,thesecurityteamcanhar-ness their knowledge to model attack vectors and attack patterns based on conditionsthatmightbeseeinlogdatacanbemodeledinSplunk.
Examples:
• Reviewtheseriesofeventsdocumentedinlogdatathattakeplacefromthemomentapieceofmalwareisdownloadedintotheenvironment.
• SetSplunktoreportonlevelsoftrafficbetweenhostsornetworkseg-mentsthatdonotordinarilycommunicatewitheachother.
• Augmentationofadatalosspreventionsystem(DLP)bymonitoringemailtraffic levels between individuals and the amount or size of attachments sent.
Dependingontheenvironment,eachofthesescenarioscanincludeoneormoreCiscosecuritysolutions.
4Cisco SBA OverviewFebruary 2012 Series
Splunk does not force the user to make compromises on what data the securityteamcancollectduetoeitherschemaorscalabilityissues.Whena search across data sources is constructed, the user can save, run, and sendthesearchresultsandgraphicalreportstoothersinPDFformatonascheduledbasis.Thesearchcanalsobecomeasecuritydashboardele-mentfordisplay.ExistingSplunkcustomersusethisdisplayintheirsecurityoperationscenter.
Figure 3 - Drill Down from Graph to Report to Log Data
To add additional context to security events, Splunk has the ability to con-nect to external sources of data and pull this data into reports or dashboards inSplunk.Augmentingsecuritydatawithinformationfromanassetdatabaseabout the asset owner, email, phone number, location, or department can helpdecreaseresponsetimes.Assetdatabasesalsomaycontaininforma-tion about asset classifications, priority, or whether the host has personal informationonit.ThisinformationcanalsobedisplayedinSplunk.
• SplunkbreaksdownsilobarriersbetweentheIToperationsandthesecurityteamsresultinginfasterproblemresolution.
• Directdrill-downfromanypartofadashboardtotheunderlyinglogsspeedssecurityinvestigations(Figure3).
• Additionalinformationfromotherdatasourcessuchaspersonneldata-bases,ActiveDirectory,orassetmanagementdatabasescanbepulledintoSplunktoaddcontexttosecurityandoperationsevents.
• Searchresultsfromasecurityinvestigation—whetherfromsingleormultiple log sources—can immediately be turned into condition that can bemonitoredinreal-time.
IT Operations BenefitsUnderstandingtheeffectofsecurityissuesontheIToperationsteamiscriticalforthereliabilityofkeybusinesssystems.Issuesthataffecttoplinerevenue such as being able to receive orders for goods and services and reputation issues that could result from the loss of private data get visibility atthehighestlevelsoftheorganization.
Splunk ’sabilitytoconsumeandreportonapplicationdataandsecuritydatatogetherdramaticallyspeedsupforensicsinvestigations.Therearecases where operations and security teams have separate troubleshooting systems,whichkeeptheseteamsinseparatesilos.Thismakesitharderforrootcauseanalysistobedetermined.Thequestion“isitanapplicationissueorasecurityissue,”cantakehourstocompletelycomprehend.Beingable to use the same system to understand the effect of security issues on mission critical applications and the data they contain is key to all tenets of security—confidentiality,integrityandavailability.
• SplunkcanprovideasinglepaneofglassforthesecurityandITopera-tionsteams.
• Splunkcanhelptheteamunderstandandpinpointinfrastructureissues.
• Operationalmetricsandsecuritymetricscanbetiedtogetherenablingbetterbusinessdecisionsandmetricsmonitoring.
Splunk and Cisco working together have endeavored to provide a consoli-dated view into log data coming from some of the best and most popular Cisco security products while preserving the key capability of Splunk to accept and index any data from any source—including multiline application data—and apply analytics to searches resulting in new insight into security issuesovertime.
5Technology Partner Product Overview February 2012 Series
Technology Partner Product Overview
SplunkforCiscoSecurityconsistsofappsandadd-onstoSplunkthatarefreelyavailableonSplunk ’swebsitewww.splunkbase.com.TheCiscoappsandadd-ons,onceinstalled,providetheuserwith12dashboardsandover60reportswithviewsofhistoricaldataandreal-timelogdatafromCiscosecuritydevicesandsoftware.ThisgivestheuserthathasaCisco-centricsecurity environment situational awareness not only for each of these systems, but also in combinations that provide insight into security issues as theyarise.TheCiscoappsandadd-onsareofferedonapersolutionbasissotheusercandownloadandinstallonlythoseneeded.
Figure 4 - Main Menu Bar
TheCiscoappsandadd-onsarecompatiblewithotherappsandadd-onsinSplunkbase.TheusercandownloadadditionalAppsoradd-onsthatareappropriatefortheirITarchitecture.Onceinstalled,theappscanbeseenundertheApppulldownmenu.Theprovideddashboardsandreportsareextensible.Iftheuserwantorneedsadditionalreports,decidestore-arrangeoraddtoadashboard,orpullincontextualdatafromathird-partysource,thisiseasilysupportedinSplunk.
WiththeexceptionoftheMARSarchive,eachsupportedCiscosolutionhasit’sownoverviewdashboardandreal-timeinformationview.Anydashboardelementorreportcanbeclickedtoprovideadrill-downintotheunderlyinglogdataandshowsthedataonachronologicaltimeline.
Solution Highlights
Cisco IronPort Email Security Appliance
For all businesses email is a mission critical business enabler and commu-nicationstool.Yetnearly90%ofemailactivityisinvalid(spam,viruses,etc.).Because email is as an attack vector for viruses and other forms of malware, the security team needs to deploy a security solution that will provide appropriateprotectionagainstemail-basedattacksandcuttheamountofinvalidemailtrafficwhilestillsupportingthebusiness.TheCiscoIronPortEmailSecurityadd-onmakestransactionminingsimplethroughformsearchdashboards that allow you to enter information about the mail transaction, sender, receiver and attachments and easily mine for any transaction nested intheEmailSecurityAppliancelogs.Splunkprovidesscalable,out-of-the-box reporting, and saved searches, that represent the most requested searchesandanalytics.
Figure 5 - Cisco Email Form Search
6Technology Partner Product Overview February 2012 Series
Splunk and Cisco IronPort Web Security Appliance
Figure 6 - Cisco WSA Dashboard
Thenumberofweb-bornsecuritythreatscausedbysimplysurfingtheInternethasreachedrecordproportions.It’sveryeasyforemployeessurfing the web to become complacent and click on a link that might result intheinstallationofakey-logger,root-kit,orsomeotherformofmalware.Surfing to certain destinations can violate appropriate use policies for employer-ownedcomputerequipment.Accordingtoarecentsurvey,arapidescalation in employee web surfing can be an indication of an employee thatnolongervalueshisorheremployer’stime,maybelookingtoleavethecompanyandperhapstakeproprietarycompanyinformationwiththem.Splunk helps track and report on web surfing as reported by the Cisco IronPortWebSecurityAppliance(WSA).Splunkputsahumanresources(HR)professional’sperspectivetoworkwhenanalyzingdatafromWSAandsupports security teams that regularly need to provide employee surfing historiesasevidenceinHRactions.
Splunk and Cisco Intrusion Prevention Systems
Figure 7 - IPS Dashboard
SecurityDeviceEventExchange(SDEE)isaspecificationforthemessageformats and the messaging protocol used to communicate the events generatedbysecuritydevices.SDEEwasimplementedintheCiscoIPS4200SeriesSensorsbeginningwithv5.0,whichinturndeprecatedCiscoRemoteDataExchangeProtocol(RDEP)forcollectingIntrusionPreventionSystem(IPS)events.SDEEprovidesaricherlevelofreporting.IPSfunction-alityissupportedwherevertheIPSmoduleisimplementedorinstalled.Forexample, Cisco routers and ASA 5500 Series Adaptive Security Appliances withanIPSmoduleinstalledcanalsoproduceSDEElogdata.TheSDEEsupportextendstoincludeCisco’sglobalthreatcorrelationifavailable.TheSDEEadd-onprovidesatranslationoftheSDEEXMLformattoakey-valuepair format easily understood by Splunk and is required for Splunk custom-ersthatneedtoviewandreportonIPSdata.
7Technology Partner Product Overview February 2012 Series
Splunk for Cisco Firewall
Figure 8 - Cisco Firewall Dashboard
The Cisco ASA 5500 Series Adaptive Security Appliance (ASA) represents anevolutionthatbeganwiththeCiscoPIXfirstreleasedin1994.Asthreatshave evolved so has the Cisco perimeter firewall which in addition to firewallcapabilities,includesIPS,VPN,andcontentsecurityfunctionality.Intheinitialreleaseofthefirewalladd-on,firewallandIPSlogdata(furtheraddressedintheSDEEsection)arecollectedandclassifiedusingtags,fieldextractions,andsavedsearches.Connectionsacceptedanddeniedbyportarejustasmallsampleoftheinformationavailableviatheadd-on.
Splunk for Cisco Security Wrapper
The Splunk for Cisco Security application is a wrapper app exposing addi-tionalsearches,reportsanddashboardsfromthesupportedCiscoadd-ons.Inaddition,extendedcontentsupportsCisco’sGlobalThreatReputationandBotnetfilteringfeatures,andreal-timegeo-mappingofCiscosecurityeventsandattacks.Downloadingandinstallingthisadd-onmakessenseforthose users that have two or more of the Cisco security solutions discussed above.Thedashboardsincludedinthewrapperreflectaricherexperienceforthesecurityprofessionallookingtoperformrootcauseanalysis.
Theapprequiresyouhavetheoneormoreofthesupportedadd-onsinstalled:
• SplunkforCiscoFirewalls(add-on)http://www.splunkbase.com/apps/All/4.x/Add-On/app:Cisco+Firewalls+Add-On
• SplunkforCiscoIPS(add-on)http://www.splunkbase.com/apps/All/4.x/AddOn/app:Cisco+IPS+SDEE+Data+Collector
• SplunkforCiscoIronPortWebSecurity(app)http://www.splunkbase.com/apps/All/4.x/App/app:Cisco+IronPort+Web+Security+Application
• SplunkforCiscoIronPortEmailSecurity(app)http://www.splunkbase.com/apps/All/4.x/Add-On/app:Cisco+IronPort+E-mail+Security+Add+On
• SplunkforCiscoClientSecurityAgent(add-on)http://www.splunkbase.com/apps/All/4.x/Add-On/app:Cisco+Client+Security+Agent+Add+On
• SplunkforCiscoWrapperhttp://www.splunkbase.com/apps/All/4.x/App/app:Splunk+for+Cisco+Security
• CiscoSecurityMARSarchiveshttp://www.splunkbase.com/apps/All/4.x/app:Cisco+MARS+Archive+Add-on
In order to automatically retrieve geographical info on public IP addressesyouwillneedtoinstalltheMAXMINDGeoLocationapponSplunkBase.Theappcanbefoundhere:GeoLookupScript http://www.splunkbase.com/apps/All/4.x/Add-On/app:Geo+Location+Lookup+Script
Tech Tip
8Technology Partner Product Overview February 2012 Series
Cisco Product Splunk Collection Method
Logcollectionmethod Splunk is scalable software that can be used as a lightweight forwarder, an indexer, and/orasearch-headbasedonconfigurationsettings.
NumberofUsers(Admin) Unlimited
CiscoDevices(dataformat)
ASR
ASA
IPS
IOS
ESA
WSA
FWSM
Cisco Security MARS
Syslog
Syslog
SDEE
Syslog
W3C
Syslog (or Squid format)
Syslog
Archive
Events Per Second 150,000+dependingon customer supplied hardware and solution architecture
Splunk scales to terabytes per day
9DeploymentDetailsFebruary 2012 Series
DeploymentDetails
Splunk and the Cisco Applications and Add-OnsThis section outlines the steps required to configure the Splunk to process logdatafromCiscodevices,includingtheCS-MARSSEMproduct.
Process
Setting up Splunk
1. SplunkInstallationQuickstart
2. AcceptingCiscoDataSources
SplunkwillrunonWindows,Linux,Solaris,MacOS,FreeBSD,AIX,andHP-UX.ThissectionprovidesanoverviewofhowtosetupSplunkonasinglehost.Additionalinformationonscalability,usingSplunkasalight-weight forwarder, and other Splunk documentation can be found on the Splunk website: (http://www.splunk.com/base/Documentation/latest/User/SplunkOverview).
Although much of what is described below are basic requirements for setting up Splunk for the first time, this document assumes that the user is setting up Splunk for the first time with additional Cisco Apps on a single fourcorecommodityserverwitheightgigabytesofram.TheinstructionsbelowreflectrunningSplunkwithadefaultRedHatLinuxinstallation.
Procedure 1 Splunk Installation Quickstart
Step 1: InstallSplunkRPM.
To install the Splunk RPM in the default directory /opt/splunk:
rpm–isplunk_package_name.rpm
To install Splunk in a different directory, use the –prefix flag:
rpm–i–prefix=/opt/new_directorysplunk_package_name.rpm
Step 2:StartSplunk.Atthecommandpromptinacommandshell type./splunkstart
After you start Splunk and accept the license agreement
Step 3: Inabrowserwindow,accessSplunkWebathttp://<hostname>:port.
• hostnameisthehostmachine.
• port is the port you specified during the installation (thedefaultportis8000).
This will spawn two processes: Splunkd and Splunkweb
Step 4: The first time you log in to Splunk Enterprise, the default login details are:
Username:admin
Password: changeme
ThefreeversionofSplunkdoesnothaveaccesscontrols.Toswitchfrom the free version to the paid version, purchase and apply the appropriatelysizedlicense.
Tech Tip
10DeploymentDetailsFebruary 2012 Series
Procedure 2 Accepting Cisco Data Sources
Eachofthefollowingappsandadd-onsshouldbeinstalledintotheappsfolderintheetcdirectory.Foreachapporadd-onyouinstallverifythattheappropriatesourcetypeissetwhenconfiguringthedatainput.
Figure 9 - Apps installed into /splunk/etc/apps
Process
Receiving syslog from Cisco Firewalls
Step 1: Toinstallthisadd-on,unpackthisfileinto$SPLUNK_HOME/etc/appsandrestartSplunk.InordertogetthefirewalldataintoSplunkyouwillneedtoconfigureaportontheSplunkservertolistenforUDPorTCPtraffic.Refer to http://www.splunk.com/base/Documentation/latest/admin/MonitorNetworkPortsfordetailsonthisprocess.
Step 2: Configure the firewall device to direct syslog traffic to the Splunk server.RefertotheCiscoSecurityInformationEventManagementDeploymentGuidefordetails.
Step 3: (optional) Theadd-onwillrenamethesourcetypeofyourfirewalleventstocisco_firewall.IfyouhavepreviouslyaddedCiscoFirewalldataasa data source and would like to preserve the current sourcetype for report-ingpurposes,youcancreateanaliasinthelocaldirectoryofthisapp.
Tocreateasourcetypealias,addthefollowingentrytoprops.confunderthelocaldirectoryofthisapp($SPLUNK_HOME/etc/apps/cisco_firewall_addon/local):
[cisco_firewall] rename = your_current_firewall_sourcetype
Thefieldextractionsaresettosourcetype=cisco_firewallwhichiskeyedoffof%ASA,%PIXand%FWSM.Allofthereportsuseeventtype=cisco_fire-wall,thedefaultcisco_firewalleventtypelooksfor%ASA,%PIXor%FWSMinyourdata.
The real time and overview dashboards as well as the included searches andreportsinthisadd-onrelyonthesearch:eventtype=cisco_firewallinordertoreportonfirewalldata.Thereisonescheduledsearchincludedinthisadd-onwhichcreatesancacheforthedashboardevery3hourswithaSplunkenterpriselicense.
To change the schedule you can edit the following search under the man-ager:CiscoFirewall–DataCube
Process
Receiving IPS Events Using SDEE
Step 1: Toinstallthisadd-on,youwillneedtounpackthisfileinto$SPLUNK_HOME/etc/appscreateormodifylocal/inputs.confandrestart.
Step 2:Opentheinputs.conffilelocatedat$SPLUNK_HOME/etc/apps/cisco_ips_addon/local/inputs.conf
Step 3: Create an entry for each sensor you would like to monitor using the following stanza:
[script://$SPLUNK_HOME/etc/apps/cisco_ips_addon/bin/get_ips_feed.py ]sourcetype = cisco_ips_syslogsource = SDEEdisabled = falseinterval = 1
Thescriptedinputcreatessensor_ip.runfileinthe$SPLUNK_HOME/etc/apps/cisco_ips_addon/var/rundirectorywhichisupdatedeachtimeSplunkattemptstoconnecttoasensor.Ifyouarehavingissuesconnectingtoasensor or are not seeing IPS data in Splunk the following search may be used for troubleshooting:
index=”_internal” sourcetype=”sdee_connection”
11DeploymentDetailsFebruary 2012 Series
The real time and overview dashboards as well as the included searches andreportsinthisadd-onrelyonthesearcheventtype=cisco_ips in order toreportonCiscoIPSdata.
Splunk creates an entry for each sensor you would like to monitor using the following stanza: [script://$SPLUNK_HOME/etc/apps/cisco_ips_addon/bin/get_ips_feed .py <user> <pass> <ips_ip> ]
Tech Tip
Step 4: (optional) Thereisonescheduledsearchincludedinthisadd-onwhich creates an cache for the dashboard every 3 hours with a Splunk enterpriselicense.Tochangethescheduleyoucaneditthefollowingsearchunderthemanager:CiscoIPS–DataCube
Process
Receiving Logs from a Cisco WSA
1. GettingWSADataintoSplunk
2. ExtractingRelevantWSAFields
3. ExtractingFieldsfromW3CFormat
4. UsingReportsandDashboardsforWebTraffic
5. ConfiguringandModifyingLookupValues
The reports and dashboards included in this app rely on eventtype=”ironport_proxy”andallrelevantfieldsinordertoreportontheCiscoIronPortWebSecurityAppliancedata.Bydefault,thereisaniron-port_proxyeventtypewith:search=sourcetype=cisco_wsa*
If you already have IronPort web data in your Splunk index and are extracting thefieldsyoucansimplysaveaneventtypewiththenameironport_proxy.Youwillstillneedtoconfigurethelookupsforyourproxylogs.Instructionson how to do this can be found below under: Configuring and Modifying LookupValues
If you already have IronPort web data in your Splunk index but do not have the fields extracted, you will find instructions on how to set up field extrac-tionsbelowunder:ExtractingRelevantIronPortWebFields
Quick Start: If you have not indexed any IronPort web data and the logs are already accessible to your Splunk server in the squid format, you can simply create a data input that monitors the directory containing the squid format-tedlogsandsetthesourcetypetocisco_wsa_squid
Procedure 1 Getting WSA Data into Splunk
ConfigureyourCiscoIronPortWSAtoscheduleanexportoftheaccesslogs to a directory accessible by the Splunk Server in either the squid or w3cformat.Therecommendedintervalforthisis15minutes.Pleasenotethat the squid logging option provides a fixed format and the app includes fieldextractionsforthis.Forthew3cformatyouwillneedtosupplythefieldheader in order for the app to function – this simple step is explained later onthisdocument.
After the data is in a directory accessible by the Splunk server, you will need to configure a data input to monitor that directory instructions on how to configure a data input can be found here: http://www.splunk.com/base/Documentation/latest/Admin/WhatSplunkCanMonitor
Whenconfiguringthedatainput,youwillneedtoselectmanualandsetcisco_wsa_squidorcisco_wsa_w3casthesourcetypevalue.
IfyouexportedtheCiscoWSAaccesslogsinthesquidformatandsetthesourcetypetocisco_wsa_squidthereisnothingmoretoconfigureatthispoint.
Tech Tip
If you require an alternative name for the sourcetype due to naming conven-tions within your organization you will need to follow the steps below for configuring eventtypes and field extractions for already indexed IronPort webdata.
12DeploymentDetailsFebruary 2012 Series
Procedure 2 Extracting Relevant WSA Fields
TheSplunkforCiscoIronPortWSAappcontainsfieldextractionsforthesquidformattedaccesslogs.Ifyouhavealreadyindexedthesquidaccesslogs under a different sourcetype, you will need to create sourcetype alias for the existing sourcetype, or map the field extractions and event typetoyourexistingsourcetype.Tocreateasourcetypealiassimplyaddthefollowingentrytoprops.confunderthelocaldirectoryofthisapp($SPLUNK_HOME/etc/apps/SplunkforIronPortWeb/local):
[put_ironport_web_squid_sourcetype_here]rename = cisco_wsa_squid
If you prefer to map your existing sourcetype to the field extractions and eventtype,addthefollowingentrytoprops.confunderthelocaldirectoryofthisapp($SPLUNK_HOME/etc/apps/SplunkforIronPortWeb/local):
[put_ironport_web_squid_sourcetype_here]KV_MODE = noneMAX_TIMESTAMP_LOOKAHEAD=19
REPORT-extract = squidlookup_table = cat_lookup x_webcat_code_abbr
Addthefollowingentrytoeventtypes.confunderthelocaldirectoryofthisapp($SPLUNK_HOME/etc/apps/SplunkforIronPortWeb/local):
[ironport_proxy]search = sourcetype=put_ironport_web_squid_sourcetype_here
Procedure 3 Extracting Fields from W3C Format
IfyourCiscoWSAaccesslogsareinaW3CformatyouwillneedtocreateaDELIMSbasedextractionforthislogformatsincethisdataisspacedelim-ited.ThefieldsvalueforthisextractionwillbesettotheheaderofyourW3Clogs.Thisistheorderinwhichthefieldswereselectedinthemanagementinterface.AlternativelythefieldvaluescanbeseenatthetopoftheW3Cformattedlogfile.
Tocreatethefieldextractionaddthefollowingentrytoprops.confunderthelocal directory of this app
($SPLUNK_HOME/etc/apps/SplunkforIronPortWeb/local):
[ironport-w3c]DELIMS=““FIELDS=“time”,“c_ip”,field3”,...,”field30”*besuretolistallofthefieldsincludedinthelog.
Required fields: (The reports require the following fields to function properly)
• cs_username
• c_ip
• x_webcat_code_abbr
• x_webroot_threat_name
• x_wbrs_score
• sc_bytes
• cs_url
13DeploymentDetailsFebruary 2012 Series
Procedure 4 Using Reports and Dashboards
Reports and dashboards are included to provide visibility into Acceptable Use/Compliance,WebSecurityThreatsandNetworkUtilization.Therearealsoformbasedreportsforclientprofilingandanalysis.CreatingyourownreportsanddashboardsisquickandeasyinSplunk.Detailsonhowtodothis can be found here: http://www.splunk.com/base/Documentation/latest/User/AboutReportsAndCharts
Thereportsrelyonthesearcheventtype=ironport_proxyandalloftherequiredfieldslistedbelow.TheAcceptableUsedashboardsrequirelookupsonusageagainstthex_webcat_code_abbrfield.
ThefollowingisalistoftheusagefieldsusedbytheAcceptableUsedashboards and reports:
• BusinessUsage(usage=”Business”)
• ProductivityLoss(usage=”Personal”)
• LegalLiability(usage=”Violation”)
• InternetTools(usage=”Borderline”)
Instructionsonhowtomodifylookupvaluescanbefoundbelow.
There are three scheduled searches included in this app which create a cacheforthedashboards.Theywillrunevery3hourswithaSplunkenter-priselicense.Tochangethescheduleyoucaneditthefollowingsearchesunder the manager:
• CiscoWSA–AcceptableUse–DataCube
• CiscoWSA–Security–DataCube
• CiscoWSA–NetworkResources–DataCube
Procedure 5 Configuring and Modifying Lookup Values
You can modify the usage and severity value for a particular category by editing the following file in the lookups directory of this app:
$SPLUNK_HOME/etc/apps/SplunkforIronPortWeb/lookups/category_map.csv
Process
Receiving Raw Events from Cisco Security MARS
Toinstallthisadd-on,unpackthisfileinto$SPLUNK_HOME/etc/appsandrestart.
Step 1: Configure your MARS instance schedule an export of the raw mes-sagearchivelogsintoadirectoryaccessiblebytheSplunkServer.
Step 2: Once the data is in a directory accessible by the Splunk server, you will need to configure a data input to monitor that directory containing the MARSarchivefiles.instructionsonhowtoconfigureadatainputcanbefound here: http://www.splunk.com/base/Documentation/latest/Admin/WhatSplunkCanMonitor
Step 3: Whenconfiguringthedatainputyouwillneedtoselectmanualandsetcisco_mars_rm.
Step 4: Thereisonescheduledsearchincludedinthisadd-onwhichcreates an cache for the dashboard every 3 hours with a Splunk enterprise license.Tochangethescheduleyoucaneditthefollowingsearchunderthemanager:CiscoMARSArchive–IPS–DataCube
14DeploymentDetailsFebruary 2012 Series
Process
Receiving Logs from a Cisco IronPort Email Security Appliance
Toinstallthisadd-on,unpackthisfileinto$SPLUNK_HOME/etc/appsandrestart.NextconfigureadatainputtomonitoryourIronPortMaillogssettingthesourcetypetocisco_esa.
If you already have the IronPort Mail logs indexed under a different sourcetypeyouwillneedtoupdatetheprops.confandeventtypes.conffilesinthelocaldirectoryofthisapp.
Step 1: Inprops.confcreatethefollowingentry,replacingthestanzanamewith your own name for the sourcetype for your IronPort Mail logs:
[enter_sourcetype_here]REPORT-ironport=get_mid,get_to,get_from,
get_icid,get_dcid,get_attach_name,get_attach_size,get_subject1,
get_subject2,get_subject3
Step 2: Ineventtypes.confcreatethefollowingentry,replacingthesearchterms with the sourcetype for your IronPort Mail logs:
[cisco_esa]search=sourcetype=your_usa_sourcetypetags=ciscoe-mailsecurity
Thesamplereportsinthisadd-onrelyonthesearch:eventtype=cisco_esainordertoreportonIronPortmaildata.Thereisonescheduledsearchincludedinthisadd-onwhichcreatesancacheforthedashboardevery6hourswithaSplunkenterpriselicense.Tochangethescheduleyoucaneditthefollowingsearchunderthemanager:CiscoIronPortE-mail–DataCube
15UnderstandingAdditionalSplunkforCiscoSecurityContent:LandingPageFebruary 2012 Series
UnderstandingAdditionalSplunk for Cisco Security Content:LandingPage
The landing page of the app provides an overall view of your Cisco security eventsinrealtime.Whileeachadd-onprovidesarealtimedashboardwhereapplicablethelandingpageislookingacrossallCiscoadd-ons,plottingtheevents in real time as they happen, as well as providing an overview of the sourceanddestinationIPaddressesinvolved.
Therearetwogeoviewsavailableonthelandingpage:areal-timeviewandacachedviewofthelast24hoursupdatedhourly.Youmaymodifythisviewtoincludeonlytheeventsorenvironmentsthatareofinteresttoyou.Inorderto modify the schedule or content of the event mapping search you will need to go into the Manager and edit: Event map
If you would like to create additional map content for use in Splunk dash-boardspleasedownloadtheSplunkforamMapflashmapsadd-onanddocumentation located here: http://www.splunkbase.com/apps/All/4.x/Add-On/app:Splunk+for+use+with+amMap+Flash+Maps
BotNet OverviewTheBotNetOverviewdashboardutilizesCiscoFirewall’sBotNetfilter,pro-vidingaviewintothelatestBotNetactivityinyourenvironment.Thisdash-board is driven off of a saved search that creates a cache for the dashboard every3hourswithaSplunkenterpriselicense.
To change the schedule or the time frame reported on you can edit the followingsearchunderthemanager:CiscoBotNetFilter–DataCube
The BotNet map included with this view is mapping the geo info from the destinationIPoftheBotNetrequest.ThismapisdrivenoffoftheresultsofCiscoBotNetFilter–DataCube.Tomakechangestothesearchscheduleorthattimeframesimplyeditthesearch.
Figure 10 - BotNet Dashboard
Global Threat Correlation OverviewThe Global Threat Correlation Overview dashboard is comprised of IPS alerts thatsurpassdefinedthresholdsforaGlobalThreatCorrelationScore.Bydefaultthisissetto0.Thisdashboardisdrivenoffofasavedsearchthatcre-atesacacheforthedashboardevery3hourswithaSplunkenterpriselicense.
Tochangetheschedule,thetimeframereportedon,ortheGTSthresh-holdyou can edit the following search under the manager: Cisco IPS Global ThreatCorrelation–DataCube.
Maintaining and Updating Splunk for Cisco Apps and Add-onsCopiesofalltheCiscoAppsandadd-onscanbefoundatwww.splunkbase.comfreeofcharge.FornotificationsofupdatestotheCiscoapps-andadd-onspostedtoSplunkbase,itisrecommendedthattheusermonitortheSplunkbasepageviaRSS.TheRSSiconislocatedintheupperrightpartoftheSplunkbasewebpage.
Duetothemodularnatureoftheappsandadd-ons,updatingandimple-menting new versions of Splunk over time does not adversely affect the installedaddsoradd-ons.
16ProductsVerifiedwithCiscoSBAFebruary 2012 Series
ProductsVerifiedwithCisco SBA
TheSplunkforCiscoSecurityappversion4.1hasbeenverifiedwithCiscoSmart Business Architecture using the following software versions:
• CiscoASA5500Series8.2(1)
• CiscoIOSSoftwareRelease15.0(1)M2
• CiscoIOSXERelease2.6.1
• CiscoIntrusionPreventionSystem7.0.(2)E3
• CiscoIronPortAsyncOSVersion7.1forEmail
• CiscoIronPortAsyncOSVersion6.3forWeb
• CiscoSecurityMARS6.0.5.
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of
the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Americas HeadquartersCisco Systems, Inc.San Jose, CA
Asia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.Singapore
Europe HeadquartersCisco Systems International BVAmsterdam, The Netherlands
SMARTBUSINESSARCHITECTURE
C07-608672-0302/12
Top Related