+ All Categories
Home > Documents > SBA for Enterprise Organizations -- Borderless Networks Splunk ...

SBA for Enterprise Organizations -- Borderless Networks Splunk ...

Date post: 04-Jan-2017
Category:
Upload: dinhnhu
View: 217 times
Download: 1 times
Share this document with a friend
21
Transcript
Page 2: SBA for Enterprise Organizations -- Borderless Networks Splunk ...

Splunk SIEM Partner Guide

February 2012 Series

Page 3: SBA for Enterprise Organizations -- Borderless Networks Splunk ...

PrefaceFebruary 2012 Series

Preface

Who Should Read This GuideThis Cisco® Smart Business Architecture (SBA) guide is for people who fill a variety of roles:

• Systemsengineerswhoneedstandardproceduresforimplementingsolutions

• ProjectmanagerswhocreatestatementsofworkforCiscoSBAimplementations

• Salespartnerswhosellnewtechnologyorwhocreateimplementationdocumentation

• Trainerswhoneedmaterialforclassroominstructionoron-the-jobtraining

In general, you can also use Cisco SBA guides to improve consistency among engineers and deployments, as well as to improve scoping and costingofdeploymentjobs.

Release SeriesCiscostrivestoupdateandenhanceSBAguidesonaregularbasis.Aswedevelop a new series of SBA guides, we test them together, as a complete system.ToensurethemutualcompatibilityofdesignsinCiscoSBAguides,youshoulduseguidesthatbelongtothesameseries.

All Cisco SBA guides include the series name on the cover and at the bottomleftofeachpage.Wenametheseriesforthemonthandyearthatwerelease them, as follows:

month year Series

For example, the series of guides that we released in August 2011 are the“August2011Series”.

You can find the most recent series of SBA guides at the following sites:

Customer access: http://www.cisco.com/go/sba

Partner access: http://www.cisco.com/go/sbachannel

How to Read CommandsMany Cisco SBA guides provide specific details about how to configure CisconetworkdevicesthatrunCiscoIOS,CiscoNX-OS,orotheroperatingsystemsthatyouconfigureatacommand-lineinterface(CLI).Thissectiondescribestheconventionsusedtospecifycommandsthatyoumustenter.

CommandstoenterataCLIappearasfollows:

configure terminal

Commands that specify a value for a variable appear as follows:

ntp server 10.10.48.17

Commands with variables that you must define appear as follows:

class-map [highest class name]

Commands shown in an interactive example, such as a script or when the command prompt is included, appear as follows:

Router# enable

Longcommandsthatlinewrapareunderlined.Enterthemasonecommand:

wrr-queue random-detect max-threshold 1 100 100 100 100 100 100 100 100

Noteworthy parts of system output or device configuration files appear highlighted, as follows:

interface Vlan64 ip address 10.5.204.5 255.255.255.0

Comments and QuestionsIf you would like to comment on a guide or ask questions, please use the forum at the bottom of one of the following sites:

Customer access: http://www.cisco.com/go/sba

Partner access: http://www.cisco.com/go/sbachannel

An RSS feed is available if you would like to be notified when new comments areposted.

Page 4: SBA for Enterprise Organizations -- Borderless Networks Splunk ...

Table of ContentsFebruary 2012 Series

ALLDESIGNS,SPECIFICATIONS,STATEMENTS,INFORMATION,ANDRECOMMENDATIONS(COLLECTIVELY,"DESIGNS")INTHISMANUALAREPRESENTED"ASIS,"WITHALLFAULTS.CISCOANDITSSUPPLIERSDISCLAIMALLWARRANTIES,INCLUDING,WITHOUTLIMITATION,THEWARRANTYOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEANDNONINFRINGEMENTORARISINGFROMACOURSEOFDEALING,USAGE,ORTRADEPRACTICE.INNOEVENTSHALLCISCOORITSSUPPLIERSBELIABLEFORANYINDIRECT,SPECIAL,CONSEQUENTIAL,ORINCIDENTALDAMAGES,INCLUDING,WITHOUTLIMITA-TION,LOSTPROFITSORLOSSORDAMAGETODATAARISINGOUTOFTHEUSEORINABILITYTOUSETHEDESIGNS,EVENIFCISCOORITSSUPPLIERSHAVEBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.THEDESIGNSARESUBJECTTOCHANGEWITHOUTNOTICE.USERSARESOLELYRESPONSIBLEFORTHEIRAPPLICATIONOFTHEDESIGNS.THEDESIGNSDONOTCONSTITUTETHETECHNICALOROTHERPROFESSIONALADVICEOFCISCO,ITSSUPPLIERSORPARTNERS.USERSSHOULDCONSULTTHEIROWNTECHNICALADVISORSBEFOREIMPLEMENTINGTHEDESIGNS.RESULTSMAYVARYDEPENDINGONFACTORSNOTTESTEDBYCISCO.

AnyInternetProtocol(IP)addressesusedinthisdocumentarenotintendedtobeactualaddresses.Anyexamples,commanddisplayoutput,andfiguresincludedinthedocumentareshownforillustrativepurposesonly.AnyuseofactualIPaddressesinillustrativecontentisunintentionalandcoincidental.CiscoUnifiedCommunicationsSRND(BasedonCiscoUnifiedCommunicationsManager7.x)

©2012CiscoSystems,Inc.Allrightsreserved.

Table of Contents

What’s In This SBA Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1Route to Success. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Cisco SBA Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2WhatisSplunk?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Business Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Security Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

IT Operations Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Technology Partner Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5SolutionHighlights. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Deployment Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9SplunkandtheCiscoApplicationsandAdd-Ons. . . . . . . . . . . . . . . . . . . . . . . 9

Setting up Splunk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Receiving syslog from Cisco Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

ReceivingIPSEventsUsingSDEE...................................... 10

ReceivingLogsfromaCiscoWSA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Receiving Raw Events from Cisco Security MARS . . . . . . . . . . . . . . . . . . . . . 13

ReceivingLogsfromaCiscoIronPortEmailSecurityAppliance. . . . . . . 14

Understanding Additional Splunk for Cisco Security Content: Landing Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

BotNet Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Global Threat Correlation Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

MaintainingandUpdatingSplunkforCiscoAppsandAdd-ons. . . . . . . . 15

Products Verified with Cisco SBA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Page 5: SBA for Enterprise Organizations -- Borderless Networks Splunk ...

1What’sInThisSBAGuideFebruary 2012 Series

What’sInThisSBAGuide

About SBACiscoSBAhelpsyoudesignandquicklydeployafull-servicebusinessnetwork.ACiscoSBAdeploymentisprescriptive,out-of-the-box,scalable,andflexible.

CiscoSBAincorporatesLAN,WAN,wireless,security,datacenter,applicationoptimization, and unified communication technologies—tested together as a completesystem.Thiscomponent-levelapproachsimplifiessystemintegrationof multiple technologies, allowing you to select solutions that solve your organization’sproblems—withoutworryingaboutthetechnicalcomplexity.

For more information, see the How to Get Started with Cisco SBA document: http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/SBA_Getting_Started.pdf

About This GuideThis additional deployment guide includes the following sections:

• Business Overview—Thechallengethatyourorganizationfaces.Business decision makers can use this section to understand the rel-evanceofthesolutiontotheirorganizations’operations.

• Technology Overview—HowCiscosolvesthechallenge.Technicaldecision makers can use this section to understand how the solution works.

• Deployment Details—Step-by-stepinstructionsforimplementingthesolution.Systemsengineerscanusethissectiontogetthesolutionupandrunningquicklyandreliably.

This guide presumes that you have read the prerequisites guides, as shown ontheRoutetoSuccessbelow.

Design Overview Internet EdgeDeployment Guide

Cisco SIEMDeployment Guide

Splunk SIEMPartner Guide

ENT BN

You are HerePrerequisite Guides

Route to SuccessTo ensure your success when implementing the designs in this guide, you should read any guides that this guide depends upon—shown to the left ofthisguideontherouteabove.Anyguidesthatdependuponthisguideareshowntotherightofthisguide.

For customer access to all guides: http://www.cisco.com/go/sba For partner access: http://www.cisco.com/go/sbachannel

Page 6: SBA for Enterprise Organizations -- Borderless Networks Splunk ...

2Cisco SBA OverviewFebruary 2012 Series Cisco SBA Overview

Cisco SBA Overview

Cisco Smart Business Architecture (SBA)—Borderless Networks (BN) for Enterprise Organizations offers partners and customers valuable network design and deployment best practices; helping organizations deliver superiorend-userexperiencethatincludeswitching,routing,securityandwireless technologies combined with the comprehensive management capabilitiesfortheentiresystem.Customerscanusetheguidanceprovidedin the architecture and deployment guiudes to maximize the value of their Cisconetworkinasimple,fast,affordable,scalableandflexiblemanner.

Figure 1 - Splunk Integrated into Cisco SBA—BN for Enterprise Organizations

The modular design of the architecture means that technologies can be addedwhentheorganizationisreadytodeploythem.ThearchitecturealsoprovidesCisco-testedconfigurationsandtopologieswhichCCNA-levelengineers can use for design and installation, and to support organizational needs

Cisco offers a number of options to provide security management capabili-ties.ThisguideisfocusedonourpartnershipwithSplunktoprovideanaffordable,easy-to-usesecuritymanagementsolution.

Page 7: SBA for Enterprise Organizations -- Borderless Networks Splunk ...

3Cisco SBA OverviewFebruary 2012 Series

What is Splunk?Splunk is software that provides a unique view across your entire IT infra-structurefromoneplaceandinrealtime.Splunkenablesyoutosearch,report, monitor and analyze streaming and historical data from any source, andspeedsinvestigationofsecurityincidents.Criticalsystemscanbemonitored to avoid service degradation or outages and compliance is deliv-eredatlowercost.NewbusinessinsightsaregleanedfromyourITdata.

Splunkcanindexanytime-stampedASCIItextwithnoneofthetypicaldevice support and new version restrictions seen from other products that acceptlogdata.IfnewversionsofCiscodatasourcesarereleased,Splunkmakesthedatasourcesavailabletoyouindexedandreadyforuse.Youchoosewhenandwheretousethenewdata.Splunkalsoacceptsmulti-lineapplicationdatawithouttheneedfortranslatorsorconnectors.

Figure 2 - Splunk for Cisco Security Real-Time Dashboard

Business BenefitsSplunk helps its customers make better business decisions by taking machine generated data and applying a forensics and analytics approach to securityandeventmanagementaswellasIToperationsmanagement.

• Anytime-stampedASCIItextmachinegenerateddatacanbeindexedwithSplunk,includingcustomapplicationlogs.

• Splunk ’ssearchlanguageincludesanalyticalcommandsusedtocreatetables,counts,charts,andotherobjectsthathelpmakedatacompelling.

• Timechartsandothergraphicaltrendingelementsusedindashboardsthat can provide executives with a risk management picture customized toyourdataandyourbusinessrequirements.

• Splunkbaseprovidesappsandadd-onstoimprovetheuserexperienceandprovideout-of-the-boxsolutionstousecases.

• SplunkbreaksdownbarriersbetweentheIToperationsandsecurityteams,resultinginfasterproblemresolution.

• Securityandapplicationdatacanbeviewedincontext,anddatatrendsexamined, so that key performance indicators (KPIs) can be established andoutliersidentified.

Security BenefitsSplunksupportsaforensicsapproachtosecurityeventmanagement.LookingforpatternsinlogdatafromCiscosecuritydevicesandviewingthemincontextofotherlogdataprovidesacomprehensiveviewofwhat’shappeninginyourITarchitecture.UsingSplunk,thesecurityteamcanhar-ness their knowledge to model attack vectors and attack patterns based on conditionsthatmightbeseeinlogdatacanbemodeledinSplunk.

Examples:

• Reviewtheseriesofeventsdocumentedinlogdatathattakeplacefromthemomentapieceofmalwareisdownloadedintotheenvironment.

• SetSplunktoreportonlevelsoftrafficbetweenhostsornetworkseg-mentsthatdonotordinarilycommunicatewitheachother.

• Augmentationofadatalosspreventionsystem(DLP)bymonitoringemailtraffic levels between individuals and the amount or size of attachments sent.

Dependingontheenvironment,eachofthesescenarioscanincludeoneormoreCiscosecuritysolutions.

Page 8: SBA for Enterprise Organizations -- Borderless Networks Splunk ...

4Cisco SBA OverviewFebruary 2012 Series

Splunk does not force the user to make compromises on what data the securityteamcancollectduetoeitherschemaorscalabilityissues.Whena search across data sources is constructed, the user can save, run, and sendthesearchresultsandgraphicalreportstoothersinPDFformatonascheduledbasis.Thesearchcanalsobecomeasecuritydashboardele-mentfordisplay.ExistingSplunkcustomersusethisdisplayintheirsecurityoperationscenter.

Figure 3 - Drill Down from Graph to Report to Log Data

To add additional context to security events, Splunk has the ability to con-nect to external sources of data and pull this data into reports or dashboards inSplunk.Augmentingsecuritydatawithinformationfromanassetdatabaseabout the asset owner, email, phone number, location, or department can helpdecreaseresponsetimes.Assetdatabasesalsomaycontaininforma-tion about asset classifications, priority, or whether the host has personal informationonit.ThisinformationcanalsobedisplayedinSplunk.

• SplunkbreaksdownsilobarriersbetweentheIToperationsandthesecurityteamsresultinginfasterproblemresolution.

• Directdrill-downfromanypartofadashboardtotheunderlyinglogsspeedssecurityinvestigations(Figure3).

• Additionalinformationfromotherdatasourcessuchaspersonneldata-bases,ActiveDirectory,orassetmanagementdatabasescanbepulledintoSplunktoaddcontexttosecurityandoperationsevents.

• Searchresultsfromasecurityinvestigation—whetherfromsingleormultiple log sources—can immediately be turned into condition that can bemonitoredinreal-time.

IT Operations BenefitsUnderstandingtheeffectofsecurityissuesontheIToperationsteamiscriticalforthereliabilityofkeybusinesssystems.Issuesthataffecttoplinerevenue such as being able to receive orders for goods and services and reputation issues that could result from the loss of private data get visibility atthehighestlevelsoftheorganization.

Splunk ’sabilitytoconsumeandreportonapplicationdataandsecuritydatatogetherdramaticallyspeedsupforensicsinvestigations.Therearecases where operations and security teams have separate troubleshooting systems,whichkeeptheseteamsinseparatesilos.Thismakesitharderforrootcauseanalysistobedetermined.Thequestion“isitanapplicationissueorasecurityissue,”cantakehourstocompletelycomprehend.Beingable to use the same system to understand the effect of security issues on mission critical applications and the data they contain is key to all tenets of security—confidentiality,integrityandavailability.

• SplunkcanprovideasinglepaneofglassforthesecurityandITopera-tionsteams.

• Splunkcanhelptheteamunderstandandpinpointinfrastructureissues.

• Operationalmetricsandsecuritymetricscanbetiedtogetherenablingbetterbusinessdecisionsandmetricsmonitoring.

Splunk and Cisco working together have endeavored to provide a consoli-dated view into log data coming from some of the best and most popular Cisco security products while preserving the key capability of Splunk to accept and index any data from any source—including multiline application data—and apply analytics to searches resulting in new insight into security issuesovertime.

Page 9: SBA for Enterprise Organizations -- Borderless Networks Splunk ...

5Technology Partner Product Overview February 2012 Series

Technology Partner Product Overview

SplunkforCiscoSecurityconsistsofappsandadd-onstoSplunkthatarefreelyavailableonSplunk ’swebsitewww.splunkbase.com.TheCiscoappsandadd-ons,onceinstalled,providetheuserwith12dashboardsandover60reportswithviewsofhistoricaldataandreal-timelogdatafromCiscosecuritydevicesandsoftware.ThisgivestheuserthathasaCisco-centricsecurity environment situational awareness not only for each of these systems, but also in combinations that provide insight into security issues as theyarise.TheCiscoappsandadd-onsareofferedonapersolutionbasissotheusercandownloadandinstallonlythoseneeded.

Figure 4 - Main Menu Bar

TheCiscoappsandadd-onsarecompatiblewithotherappsandadd-onsinSplunkbase.TheusercandownloadadditionalAppsoradd-onsthatareappropriatefortheirITarchitecture.Onceinstalled,theappscanbeseenundertheApppulldownmenu.Theprovideddashboardsandreportsareextensible.Iftheuserwantorneedsadditionalreports,decidestore-arrangeoraddtoadashboard,orpullincontextualdatafromathird-partysource,thisiseasilysupportedinSplunk.

WiththeexceptionoftheMARSarchive,eachsupportedCiscosolutionhasit’sownoverviewdashboardandreal-timeinformationview.Anydashboardelementorreportcanbeclickedtoprovideadrill-downintotheunderlyinglogdataandshowsthedataonachronologicaltimeline.

Solution Highlights

Cisco IronPort Email Security Appliance

For all businesses email is a mission critical business enabler and commu-nicationstool.Yetnearly90%ofemailactivityisinvalid(spam,viruses,etc.).Because email is as an attack vector for viruses and other forms of malware, the security team needs to deploy a security solution that will provide appropriateprotectionagainstemail-basedattacksandcuttheamountofinvalidemailtrafficwhilestillsupportingthebusiness.TheCiscoIronPortEmailSecurityadd-onmakestransactionminingsimplethroughformsearchdashboards that allow you to enter information about the mail transaction, sender, receiver and attachments and easily mine for any transaction nested intheEmailSecurityAppliancelogs.Splunkprovidesscalable,out-of-the-box reporting, and saved searches, that represent the most requested searchesandanalytics.

Figure 5 - Cisco Email Form Search

Page 10: SBA for Enterprise Organizations -- Borderless Networks Splunk ...

6Technology Partner Product Overview February 2012 Series

Splunk and Cisco IronPort Web Security Appliance

Figure 6 - Cisco WSA Dashboard

Thenumberofweb-bornsecuritythreatscausedbysimplysurfingtheInternethasreachedrecordproportions.It’sveryeasyforemployeessurfing the web to become complacent and click on a link that might result intheinstallationofakey-logger,root-kit,orsomeotherformofmalware.Surfing to certain destinations can violate appropriate use policies for employer-ownedcomputerequipment.Accordingtoarecentsurvey,arapidescalation in employee web surfing can be an indication of an employee thatnolongervalueshisorheremployer’stime,maybelookingtoleavethecompanyandperhapstakeproprietarycompanyinformationwiththem.Splunk helps track and report on web surfing as reported by the Cisco IronPortWebSecurityAppliance(WSA).Splunkputsahumanresources(HR)professional’sperspectivetoworkwhenanalyzingdatafromWSAandsupports security teams that regularly need to provide employee surfing historiesasevidenceinHRactions.

Splunk and Cisco Intrusion Prevention Systems

Figure 7 - IPS Dashboard

SecurityDeviceEventExchange(SDEE)isaspecificationforthemessageformats and the messaging protocol used to communicate the events generatedbysecuritydevices.SDEEwasimplementedintheCiscoIPS4200SeriesSensorsbeginningwithv5.0,whichinturndeprecatedCiscoRemoteDataExchangeProtocol(RDEP)forcollectingIntrusionPreventionSystem(IPS)events.SDEEprovidesaricherlevelofreporting.IPSfunction-alityissupportedwherevertheIPSmoduleisimplementedorinstalled.Forexample, Cisco routers and ASA 5500 Series Adaptive Security Appliances withanIPSmoduleinstalledcanalsoproduceSDEElogdata.TheSDEEsupportextendstoincludeCisco’sglobalthreatcorrelationifavailable.TheSDEEadd-onprovidesatranslationoftheSDEEXMLformattoakey-valuepair format easily understood by Splunk and is required for Splunk custom-ersthatneedtoviewandreportonIPSdata.

Page 11: SBA for Enterprise Organizations -- Borderless Networks Splunk ...

7Technology Partner Product Overview February 2012 Series

Splunk for Cisco Firewall

Figure 8 - Cisco Firewall Dashboard

The Cisco ASA 5500 Series Adaptive Security Appliance (ASA) represents anevolutionthatbeganwiththeCiscoPIXfirstreleasedin1994.Asthreatshave evolved so has the Cisco perimeter firewall which in addition to firewallcapabilities,includesIPS,VPN,andcontentsecurityfunctionality.Intheinitialreleaseofthefirewalladd-on,firewallandIPSlogdata(furtheraddressedintheSDEEsection)arecollectedandclassifiedusingtags,fieldextractions,andsavedsearches.Connectionsacceptedanddeniedbyportarejustasmallsampleoftheinformationavailableviatheadd-on.

Splunk for Cisco Security Wrapper

The Splunk for Cisco Security application is a wrapper app exposing addi-tionalsearches,reportsanddashboardsfromthesupportedCiscoadd-ons.Inaddition,extendedcontentsupportsCisco’sGlobalThreatReputationandBotnetfilteringfeatures,andreal-timegeo-mappingofCiscosecurityeventsandattacks.Downloadingandinstallingthisadd-onmakessenseforthose users that have two or more of the Cisco security solutions discussed above.Thedashboardsincludedinthewrapperreflectaricherexperienceforthesecurityprofessionallookingtoperformrootcauseanalysis.

Theapprequiresyouhavetheoneormoreofthesupportedadd-onsinstalled:

• SplunkforCiscoFirewalls(add-on)http://www.splunkbase.com/apps/All/4.x/Add-On/app:Cisco+Firewalls+Add-On

• SplunkforCiscoIPS(add-on)http://www.splunkbase.com/apps/All/4.x/AddOn/app:Cisco+IPS+SDEE+Data+Collector

• SplunkforCiscoIronPortWebSecurity(app)http://www.splunkbase.com/apps/All/4.x/App/app:Cisco+IronPort+Web+Security+Application

• SplunkforCiscoIronPortEmailSecurity(app)http://www.splunkbase.com/apps/All/4.x/Add-On/app:Cisco+IronPort+E-mail+Security+Add+On

• SplunkforCiscoClientSecurityAgent(add-on)http://www.splunkbase.com/apps/All/4.x/Add-On/app:Cisco+Client+Security+Agent+Add+On

• SplunkforCiscoWrapperhttp://www.splunkbase.com/apps/All/4.x/App/app:Splunk+for+Cisco+Security

• CiscoSecurityMARSarchiveshttp://www.splunkbase.com/apps/All/4.x/app:Cisco+MARS+Archive+Add-on

In order to automatically retrieve geographical info on public IP addressesyouwillneedtoinstalltheMAXMINDGeoLocationapponSplunkBase.Theappcanbefoundhere:GeoLookupScript http://www.splunkbase.com/apps/All/4.x/Add-On/app:Geo+Location+Lookup+Script

Tech Tip

Page 12: SBA for Enterprise Organizations -- Borderless Networks Splunk ...

8Technology Partner Product Overview February 2012 Series

Cisco Product Splunk Collection Method

Logcollectionmethod Splunk is scalable software that can be used as a lightweight forwarder, an indexer, and/orasearch-headbasedonconfigurationsettings.

NumberofUsers(Admin) Unlimited

CiscoDevices(dataformat)

ASR

ASA

IPS

IOS

ESA

WSA

FWSM

Cisco Security MARS

Syslog

Syslog

SDEE

Syslog

W3C

Syslog (or Squid format)

Syslog

Archive

Events Per Second 150,000+dependingon customer supplied hardware and solution architecture

Splunk scales to terabytes per day

Page 13: SBA for Enterprise Organizations -- Borderless Networks Splunk ...

9DeploymentDetailsFebruary 2012 Series

DeploymentDetails

Splunk and the Cisco Applications and Add-OnsThis section outlines the steps required to configure the Splunk to process logdatafromCiscodevices,includingtheCS-MARSSEMproduct.

Process

Setting up Splunk

1. SplunkInstallationQuickstart

2. AcceptingCiscoDataSources

SplunkwillrunonWindows,Linux,Solaris,MacOS,FreeBSD,AIX,andHP-UX.ThissectionprovidesanoverviewofhowtosetupSplunkonasinglehost.Additionalinformationonscalability,usingSplunkasalight-weight forwarder, and other Splunk documentation can be found on the Splunk website: (http://www.splunk.com/base/Documentation/latest/User/SplunkOverview).

Although much of what is described below are basic requirements for setting up Splunk for the first time, this document assumes that the user is setting up Splunk for the first time with additional Cisco Apps on a single fourcorecommodityserverwitheightgigabytesofram.TheinstructionsbelowreflectrunningSplunkwithadefaultRedHatLinuxinstallation.

Procedure 1 Splunk Installation Quickstart

Step 1: InstallSplunkRPM.

To install the Splunk RPM in the default directory /opt/splunk:

rpm–isplunk_package_name.rpm

To install Splunk in a different directory, use the –prefix flag:

rpm–i–prefix=/opt/new_directorysplunk_package_name.rpm

Step 2:StartSplunk.Atthecommandpromptinacommandshell type./splunkstart

After you start Splunk and accept the license agreement

Step 3: Inabrowserwindow,accessSplunkWebathttp://<hostname>:port.

• hostnameisthehostmachine.

• port is the port you specified during the installation (thedefaultportis8000).

This will spawn two processes: Splunkd and Splunkweb

Step 4: The first time you log in to Splunk Enterprise, the default login details are:

Username:admin

Password: changeme

ThefreeversionofSplunkdoesnothaveaccesscontrols.Toswitchfrom the free version to the paid version, purchase and apply the appropriatelysizedlicense.

Tech Tip

Page 14: SBA for Enterprise Organizations -- Borderless Networks Splunk ...

10DeploymentDetailsFebruary 2012 Series

Procedure 2 Accepting Cisco Data Sources

Eachofthefollowingappsandadd-onsshouldbeinstalledintotheappsfolderintheetcdirectory.Foreachapporadd-onyouinstallverifythattheappropriatesourcetypeissetwhenconfiguringthedatainput.

Figure 9 - Apps installed into /splunk/etc/apps

Process

Receiving syslog from Cisco Firewalls

Step 1: Toinstallthisadd-on,unpackthisfileinto$SPLUNK_HOME/etc/appsandrestartSplunk.InordertogetthefirewalldataintoSplunkyouwillneedtoconfigureaportontheSplunkservertolistenforUDPorTCPtraffic.Refer to http://www.splunk.com/base/Documentation/latest/admin/MonitorNetworkPortsfordetailsonthisprocess.

Step 2: Configure the firewall device to direct syslog traffic to the Splunk server.RefertotheCiscoSecurityInformationEventManagementDeploymentGuidefordetails.

Step 3: (optional) Theadd-onwillrenamethesourcetypeofyourfirewalleventstocisco_firewall.IfyouhavepreviouslyaddedCiscoFirewalldataasa data source and would like to preserve the current sourcetype for report-ingpurposes,youcancreateanaliasinthelocaldirectoryofthisapp.

Tocreateasourcetypealias,addthefollowingentrytoprops.confunderthelocaldirectoryofthisapp($SPLUNK_HOME/etc/apps/cisco_firewall_addon/local):

[cisco_firewall] rename = your_current_firewall_sourcetype

Thefieldextractionsaresettosourcetype=cisco_firewallwhichiskeyedoffof%ASA,%PIXand%FWSM.Allofthereportsuseeventtype=cisco_fire-wall,thedefaultcisco_firewalleventtypelooksfor%ASA,%PIXor%FWSMinyourdata.

The real time and overview dashboards as well as the included searches andreportsinthisadd-onrelyonthesearch:eventtype=cisco_firewallinordertoreportonfirewalldata.Thereisonescheduledsearchincludedinthisadd-onwhichcreatesancacheforthedashboardevery3hourswithaSplunkenterpriselicense.

To change the schedule you can edit the following search under the man-ager:CiscoFirewall–DataCube

Process

Receiving IPS Events Using SDEE

Step 1: Toinstallthisadd-on,youwillneedtounpackthisfileinto$SPLUNK_HOME/etc/appscreateormodifylocal/inputs.confandrestart.

Step 2:Opentheinputs.conffilelocatedat$SPLUNK_HOME/etc/apps/cisco_ips_addon/local/inputs.conf

Step 3: Create an entry for each sensor you would like to monitor using the following stanza:

[script://$SPLUNK_HOME/etc/apps/cisco_ips_addon/bin/get_ips_feed.py ]sourcetype = cisco_ips_syslogsource = SDEEdisabled = falseinterval = 1

Thescriptedinputcreatessensor_ip.runfileinthe$SPLUNK_HOME/etc/apps/cisco_ips_addon/var/rundirectorywhichisupdatedeachtimeSplunkattemptstoconnecttoasensor.Ifyouarehavingissuesconnectingtoasensor or are not seeing IPS data in Splunk the following search may be used for troubleshooting:

index=”_internal” sourcetype=”sdee_connection”

Page 15: SBA for Enterprise Organizations -- Borderless Networks Splunk ...

11DeploymentDetailsFebruary 2012 Series

The real time and overview dashboards as well as the included searches andreportsinthisadd-onrelyonthesearcheventtype=cisco_ips in order toreportonCiscoIPSdata.

Splunk creates an entry for each sensor you would like to monitor using the following stanza: [script://$SPLUNK_HOME/etc/apps/cisco_ips_addon/bin/get_ips_feed .py <user> <pass> <ips_ip> ]

Tech Tip

Step 4: (optional) Thereisonescheduledsearchincludedinthisadd-onwhich creates an cache for the dashboard every 3 hours with a Splunk enterpriselicense.Tochangethescheduleyoucaneditthefollowingsearchunderthemanager:CiscoIPS–DataCube

Process

Receiving Logs from a Cisco WSA

1. GettingWSADataintoSplunk

2. ExtractingRelevantWSAFields

3. ExtractingFieldsfromW3CFormat

4. UsingReportsandDashboardsforWebTraffic

5. ConfiguringandModifyingLookupValues

The reports and dashboards included in this app rely on eventtype=”ironport_proxy”andallrelevantfieldsinordertoreportontheCiscoIronPortWebSecurityAppliancedata.Bydefault,thereisaniron-port_proxyeventtypewith:search=sourcetype=cisco_wsa*

If you already have IronPort web data in your Splunk index and are extracting thefieldsyoucansimplysaveaneventtypewiththenameironport_proxy.Youwillstillneedtoconfigurethelookupsforyourproxylogs.Instructionson how to do this can be found below under: Configuring and Modifying LookupValues

If you already have IronPort web data in your Splunk index but do not have the fields extracted, you will find instructions on how to set up field extrac-tionsbelowunder:ExtractingRelevantIronPortWebFields

Quick Start: If you have not indexed any IronPort web data and the logs are already accessible to your Splunk server in the squid format, you can simply create a data input that monitors the directory containing the squid format-tedlogsandsetthesourcetypetocisco_wsa_squid

Procedure 1 Getting WSA Data into Splunk

ConfigureyourCiscoIronPortWSAtoscheduleanexportoftheaccesslogs to a directory accessible by the Splunk Server in either the squid or w3cformat.Therecommendedintervalforthisis15minutes.Pleasenotethat the squid logging option provides a fixed format and the app includes fieldextractionsforthis.Forthew3cformatyouwillneedtosupplythefieldheader in order for the app to function – this simple step is explained later onthisdocument.

After the data is in a directory accessible by the Splunk server, you will need to configure a data input to monitor that directory instructions on how to configure a data input can be found here: http://www.splunk.com/base/Documentation/latest/Admin/WhatSplunkCanMonitor

Whenconfiguringthedatainput,youwillneedtoselectmanualandsetcisco_wsa_squidorcisco_wsa_w3casthesourcetypevalue.

IfyouexportedtheCiscoWSAaccesslogsinthesquidformatandsetthesourcetypetocisco_wsa_squidthereisnothingmoretoconfigureatthispoint.

Tech Tip

If you require an alternative name for the sourcetype due to naming conven-tions within your organization you will need to follow the steps below for configuring eventtypes and field extractions for already indexed IronPort webdata.

Page 16: SBA for Enterprise Organizations -- Borderless Networks Splunk ...

12DeploymentDetailsFebruary 2012 Series

Procedure 2 Extracting Relevant WSA Fields

TheSplunkforCiscoIronPortWSAappcontainsfieldextractionsforthesquidformattedaccesslogs.Ifyouhavealreadyindexedthesquidaccesslogs under a different sourcetype, you will need to create sourcetype alias for the existing sourcetype, or map the field extractions and event typetoyourexistingsourcetype.Tocreateasourcetypealiassimplyaddthefollowingentrytoprops.confunderthelocaldirectoryofthisapp($SPLUNK_HOME/etc/apps/SplunkforIronPortWeb/local):

[put_ironport_web_squid_sourcetype_here]rename = cisco_wsa_squid

If you prefer to map your existing sourcetype to the field extractions and eventtype,addthefollowingentrytoprops.confunderthelocaldirectoryofthisapp($SPLUNK_HOME/etc/apps/SplunkforIronPortWeb/local):

[put_ironport_web_squid_sourcetype_here]KV_MODE = noneMAX_TIMESTAMP_LOOKAHEAD=19

REPORT-extract = squidlookup_table = cat_lookup x_webcat_code_abbr

Addthefollowingentrytoeventtypes.confunderthelocaldirectoryofthisapp($SPLUNK_HOME/etc/apps/SplunkforIronPortWeb/local):

[ironport_proxy]search = sourcetype=put_ironport_web_squid_sourcetype_here

Procedure 3 Extracting Fields from W3C Format

IfyourCiscoWSAaccesslogsareinaW3CformatyouwillneedtocreateaDELIMSbasedextractionforthislogformatsincethisdataisspacedelim-ited.ThefieldsvalueforthisextractionwillbesettotheheaderofyourW3Clogs.Thisistheorderinwhichthefieldswereselectedinthemanagementinterface.AlternativelythefieldvaluescanbeseenatthetopoftheW3Cformattedlogfile.

Tocreatethefieldextractionaddthefollowingentrytoprops.confunderthelocal directory of this app

($SPLUNK_HOME/etc/apps/SplunkforIronPortWeb/local):

[ironport-w3c]DELIMS=““FIELDS=“time”,“c_ip”,field3”,...,”field30”*besuretolistallofthefieldsincludedinthelog.

Required fields: (The reports require the following fields to function properly)

• cs_username

• c_ip

• x_webcat_code_abbr

• x_webroot_threat_name

• x_wbrs_score

• sc_bytes

• cs_url

Page 17: SBA for Enterprise Organizations -- Borderless Networks Splunk ...

13DeploymentDetailsFebruary 2012 Series

Procedure 4 Using Reports and Dashboards

Reports and dashboards are included to provide visibility into Acceptable Use/Compliance,WebSecurityThreatsandNetworkUtilization.Therearealsoformbasedreportsforclientprofilingandanalysis.CreatingyourownreportsanddashboardsisquickandeasyinSplunk.Detailsonhowtodothis can be found here: http://www.splunk.com/base/Documentation/latest/User/AboutReportsAndCharts

Thereportsrelyonthesearcheventtype=ironport_proxyandalloftherequiredfieldslistedbelow.TheAcceptableUsedashboardsrequirelookupsonusageagainstthex_webcat_code_abbrfield.

ThefollowingisalistoftheusagefieldsusedbytheAcceptableUsedashboards and reports:

• BusinessUsage(usage=”Business”)

• ProductivityLoss(usage=”Personal”)

• LegalLiability(usage=”Violation”)

• InternetTools(usage=”Borderline”)

Instructionsonhowtomodifylookupvaluescanbefoundbelow.

There are three scheduled searches included in this app which create a cacheforthedashboards.Theywillrunevery3hourswithaSplunkenter-priselicense.Tochangethescheduleyoucaneditthefollowingsearchesunder the manager:

• CiscoWSA–AcceptableUse–DataCube

• CiscoWSA–Security–DataCube

• CiscoWSA–NetworkResources–DataCube

Procedure 5 Configuring and Modifying Lookup Values

You can modify the usage and severity value for a particular category by editing the following file in the lookups directory of this app:

$SPLUNK_HOME/etc/apps/SplunkforIronPortWeb/lookups/category_map.csv

Process

Receiving Raw Events from Cisco Security MARS

Toinstallthisadd-on,unpackthisfileinto$SPLUNK_HOME/etc/appsandrestart.

Step 1: Configure your MARS instance schedule an export of the raw mes-sagearchivelogsintoadirectoryaccessiblebytheSplunkServer.

Step 2: Once the data is in a directory accessible by the Splunk server, you will need to configure a data input to monitor that directory containing the MARSarchivefiles.instructionsonhowtoconfigureadatainputcanbefound here: http://www.splunk.com/base/Documentation/latest/Admin/WhatSplunkCanMonitor

Step 3: Whenconfiguringthedatainputyouwillneedtoselectmanualandsetcisco_mars_rm.

Step 4: Thereisonescheduledsearchincludedinthisadd-onwhichcreates an cache for the dashboard every 3 hours with a Splunk enterprise license.Tochangethescheduleyoucaneditthefollowingsearchunderthemanager:CiscoMARSArchive–IPS–DataCube

Page 18: SBA for Enterprise Organizations -- Borderless Networks Splunk ...

14DeploymentDetailsFebruary 2012 Series

Process

Receiving Logs from a Cisco IronPort Email Security Appliance

Toinstallthisadd-on,unpackthisfileinto$SPLUNK_HOME/etc/appsandrestart.NextconfigureadatainputtomonitoryourIronPortMaillogssettingthesourcetypetocisco_esa.

If you already have the IronPort Mail logs indexed under a different sourcetypeyouwillneedtoupdatetheprops.confandeventtypes.conffilesinthelocaldirectoryofthisapp.

Step 1: Inprops.confcreatethefollowingentry,replacingthestanzanamewith your own name for the sourcetype for your IronPort Mail logs:

[enter_sourcetype_here]REPORT-ironport=get_mid,get_to,get_from,

get_icid,get_dcid,get_attach_name,get_attach_size,get_subject1,

get_subject2,get_subject3

Step 2: Ineventtypes.confcreatethefollowingentry,replacingthesearchterms with the sourcetype for your IronPort Mail logs:

[cisco_esa]search=sourcetype=your_usa_sourcetypetags=ciscoe-mailsecurity

Thesamplereportsinthisadd-onrelyonthesearch:eventtype=cisco_esainordertoreportonIronPortmaildata.Thereisonescheduledsearchincludedinthisadd-onwhichcreatesancacheforthedashboardevery6hourswithaSplunkenterpriselicense.Tochangethescheduleyoucaneditthefollowingsearchunderthemanager:CiscoIronPortE-mail–DataCube

Page 19: SBA for Enterprise Organizations -- Borderless Networks Splunk ...

15UnderstandingAdditionalSplunkforCiscoSecurityContent:LandingPageFebruary 2012 Series

UnderstandingAdditionalSplunk for Cisco Security Content:LandingPage

The landing page of the app provides an overall view of your Cisco security eventsinrealtime.Whileeachadd-onprovidesarealtimedashboardwhereapplicablethelandingpageislookingacrossallCiscoadd-ons,plottingtheevents in real time as they happen, as well as providing an overview of the sourceanddestinationIPaddressesinvolved.

Therearetwogeoviewsavailableonthelandingpage:areal-timeviewandacachedviewofthelast24hoursupdatedhourly.Youmaymodifythisviewtoincludeonlytheeventsorenvironmentsthatareofinteresttoyou.Inorderto modify the schedule or content of the event mapping search you will need to go into the Manager and edit: Event map

If you would like to create additional map content for use in Splunk dash-boardspleasedownloadtheSplunkforamMapflashmapsadd-onanddocumentation located here: http://www.splunkbase.com/apps/All/4.x/Add-On/app:Splunk+for+use+with+amMap+Flash+Maps

BotNet OverviewTheBotNetOverviewdashboardutilizesCiscoFirewall’sBotNetfilter,pro-vidingaviewintothelatestBotNetactivityinyourenvironment.Thisdash-board is driven off of a saved search that creates a cache for the dashboard every3hourswithaSplunkenterpriselicense.

To change the schedule or the time frame reported on you can edit the followingsearchunderthemanager:CiscoBotNetFilter–DataCube

The BotNet map included with this view is mapping the geo info from the destinationIPoftheBotNetrequest.ThismapisdrivenoffoftheresultsofCiscoBotNetFilter–DataCube.Tomakechangestothesearchscheduleorthattimeframesimplyeditthesearch.

Figure 10 - BotNet Dashboard

Global Threat Correlation OverviewThe Global Threat Correlation Overview dashboard is comprised of IPS alerts thatsurpassdefinedthresholdsforaGlobalThreatCorrelationScore.Bydefaultthisissetto0.Thisdashboardisdrivenoffofasavedsearchthatcre-atesacacheforthedashboardevery3hourswithaSplunkenterpriselicense.

Tochangetheschedule,thetimeframereportedon,ortheGTSthresh-holdyou can edit the following search under the manager: Cisco IPS Global ThreatCorrelation–DataCube.

Maintaining and Updating Splunk for Cisco Apps and Add-onsCopiesofalltheCiscoAppsandadd-onscanbefoundatwww.splunkbase.comfreeofcharge.FornotificationsofupdatestotheCiscoapps-andadd-onspostedtoSplunkbase,itisrecommendedthattheusermonitortheSplunkbasepageviaRSS.TheRSSiconislocatedintheupperrightpartoftheSplunkbasewebpage.

Duetothemodularnatureoftheappsandadd-ons,updatingandimple-menting new versions of Splunk over time does not adversely affect the installedaddsoradd-ons.

Page 20: SBA for Enterprise Organizations -- Borderless Networks Splunk ...

16ProductsVerifiedwithCiscoSBAFebruary 2012 Series

ProductsVerifiedwithCisco SBA

TheSplunkforCiscoSecurityappversion4.1hasbeenverifiedwithCiscoSmart Business Architecture using the following software versions:

• CiscoASA5500Series8.2(1)

• CiscoIOSSoftwareRelease15.0(1)M2

• CiscoIOSXERelease2.6.1

• CiscoIntrusionPreventionSystem7.0.(2)E3

• CiscoIronPortAsyncOSVersion7.1forEmail

• CiscoIronPortAsyncOSVersion6.3forWeb

• CiscoSecurityMARS6.0.5.

Page 21: SBA for Enterprise Organizations -- Borderless Networks Splunk ...

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of

the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Americas HeadquartersCisco Systems, Inc.San Jose, CA

Asia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.Singapore

Europe HeadquartersCisco Systems International BVAmsterdam, The Netherlands

SMARTBUSINESSARCHITECTURE

C07-608672-0302/12


Recommended