Cisco IOS

The Cisco IOS app sets different Cisco specific fields used for identifying data from Cisco IOS, IOS-XE, NX-OS, XR

Install this app on your search head. Install the TA-cisco_ios app on your search head AND indexers.

This version requires TA-cisco_ios 1.5.0 or later.

Supported Cisco Devices:
* Cisco Catalyst series switches (2960, 3650, 3750, 4500, 6500, 6800, 7600 etc.)
* Cisco ASR - Aggregation Services Routers (900, 1000, 5000, 9000 etc.)
* Cisco ISR - Integrated Services Routers (800, 1900, 2900, 3900, 4451 etc.)
* Cisco Nexus Data Center switches (1000V, 2000, 3000, 4000, 5000, 6000, 7000, 9000 etc.)
* Other Cisco IOS based devices (Metro Ethernet, Industrial Ethernet, Blade Switches, Connected Grid etc.)

Preliminary support for:
* Cisco WLC - WLAN Controller

Release Notes


Copyright (C) 2014 Mikael Bjerkeland. All Rights Reserved.

Please contact me on Splunk Base if there is anything you would like to see in this app.

Application Details

Sourcetype(s): cisco:ios Supported Technologies: Cisco IOS, IOS-XE, NX-OS, IOS XR devices Supported Splunk versions: 6.1+

Installation Instructions

The Cisco IOS app can be downloaded, installed, and configured to receive Cisco IOS data by either using the Splunk app setup screen or by manually installing and configuring the app. This app reads from the sourcetype cisco:ios defined in TA-cisco_ios

Setup and configuration

1. Install in $SPLUNK_HOME/etc/apps/cisco_ios

2. Restart Splunk

Optional steps

1. For better change auditing add the following to the running-configuration on your devices:

log config
logging enable
logging size 200
notify syslog contenttype plaintext
login on-failure log
login on-success log
logging userinfo

This ensures that all run commands are logged for Change Management. We sort them by the IOS event_id See Auditing -> Configuration change transactions

2. If you do not want to show ACL hits by local management IPs, add the IPs or subnets to lookups/cisco_ios_acl_excluded_ips.csv

3. For the Auditing -> Time drift view to work correctly, add something along the following on your devices:


service timestamps log datetime msec localtime show-timezone


4. Add something along the following to monitor interface changes:

logging event trunk-status global
logging event link-status global
interface ra Gi1/0/1 - 52
logging event trunk-status
logging event spanning-tree
logging event status

5. (OPTIONAL) For MAC move notifications, STP logging, IP SLA logging etc:

mac address-table notification mac-move
spanning-tree logging
ip sla logging traps
ip dhcp limit lease log
ip dhcp conflict logging ip nat log translations syslog --

6. (OPTIONAL) For DHCP utilization logging on your devices, do this for each pool

utilization mark high 80 log

7. (OPTIONAL) Nexus ACL logging

logging level acllog 6
acllog match-log-level 6
logging logfile messages 6


  • IOS DHCP binding logging (file monitoring)
  • Facility-Mnemonic by software version, by series, by model?

Getting Help

  • Consult Splunk Answers
  • Contact the author:
12 ratings