Splunk + Cisco IOS

Ya tengo instalada la app que procesa los datos de todos los cacharros de cisco (esta y esta).

Voy a crear algunas alertas.

Cisco-IOS-err-disabled

eventtype=»cisco_ios-err_disable» product IN (IOS) index IN (*) | `normalize-int(src_int_prefix_long,src_int_suffix,»src_interface»)` | stats count(src_interface) AS Amount BY host,src_interface,disable_cause | rename src_interface AS Interface, disable_cause AS Cause

Cisco-IOS-spanning_tree

eventtype=»cisco_ios-spanning_tree» index IN (*) mnemonic=LOOPGUARD_BLOCK | fields _time, host, facility, mnemonic, src_interface, dest_interface, src_vlan, src_mac, spanning_tree_instance, action

Cisco-IOS-unsupported-access-point

eventtype=»cisco_ios-lwapp_akita_err» index IN (*) | table _time,host,ap_mac

Cisco-IOS-wrong-PSK

eventtype=cisco_ios index IN (*) product=»WLC» vendor_explanation=»A client may be attempting to access the network with an improperly configured PSK.» | rex field=message_text «(?[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2})» | rex field=message_text mode=sed «s/([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}/XX:XX:XX:XX:XX:XX/g» | stats latest(_time) AS _time, count by dvc,facility,mnemonic,src_mac,message_text,vendor_explanation | sort -count

Cisco-IOS-client-blacklisted (cuando intentan entrar muchas veces con contraseña incorrecta)

eventtype=cisco_ios index IN (*) product=»WLC» vendor_explanation=»Client authentication has failed because the maximum number of authentication attempts permitted by the authentication was exceeded. If blacklisting is configured, the client will be blacklisted.» | rex field=message_text «(?[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2})» | rex field=message_text mode=sed «s/([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}/XX:XX:XX:XX:XX:XX/g» | stats latest(_time) AS _time, count by dvc,facility,mnemonic,src_mac,message_text,vendor_explanation | sort -count

Cisco-IOS-radius-problem (si un servidor radius deja de responder)

eventtype=cisco_ios index IN (*) product=»WLC» vendor_explanation=»A RADIUS server failed to respond to a request for STA.» | rex field=message_text «(?[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2})» | rex field=message_text mode=sed «s/([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}/XX:XX:XX:XX:XX:XX/g» | stats latest(_time) AS _time, count by dvc,facility,mnemonic,src_mac,message_text,vendor_explanation | sort -count

Cisco-IOS-routing-problem (Cuando se pierden adyacencias)

eventtype=cisco_ios-routing index IN (*) | eval routing_protocol = case(eventtype == «cisco_ios-routing-ospf», «OSPF», eventtype == «cisco_ios-routing-dual», «EIGRP», eventtype == «cisco_ios-routing-bgp», «BGP», eventtype == «cisco_ios-routing-ldp», «LDP», eventtype == «cisco_ios-routing-isis», «ISIS», eventtype == «cisco_ios-routing-rsvp», «RSVP», eventtype == «cisco_ios-routing-pim», «PIM») | search (routing_protocol=»*») message_text=»*down*» | fields _time host routing_protocol protocol process_id as_number src_ip vrf src_interface state_from state_to reason message_text

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.