The Cisco ACI Add-on for Splunk Enterprise is used to gather data from Application Policy Infrastructure Controller (APIC) and MSO (Multi-Site Orchestrator), do indexing on it and provide the indexed data to "Cisco ACI App for Splunk Enterprise" app which runs searches on indexed data and build dashboards using it.
Install the main app (Cisco ACI App for Splunk Enterprise) and add-on app (Cisco ACI Add-on for Splunk Enterprise) on a single machine.
* Here both the app resides on a single machine.
* The main app uses the data collected by Add-on app and builds dashboard on it
Install the main app and add-on app on a distributed clustered environment.
* Install the App on a Search Head or Search Head Cluster.
* Install and configure the Add-on on a Heavy forwarder or an Indexer. (Heavy forwarder recommended)
Restart Splunk.
Note: If the previous version of the App is already installed, remove the TA_cisco-ACI folder from the Splunk app folder before the installation of a newer version or the user can upgrade the app from Splunk UI.
If the user upgrades the app, it should be ensured that index, sourcetype , and interval must be mentioned for each input in local/inputs.conf
Please disable all the scripted inputs before upgrading Add-on(TA_cisco-ACI).
* Download the App package
* From the UI navigate to Apps->Manage Apps
* In the top right corner select "Install app from file"
* Select "Choose File" and select the App package
* Check Upgrade App
* Select "Upload" and follow the prompts.
#### OR
* If a newer version is available on splunkbase, then App/Add-on can be updated from UI also.
* From the UI navigate to Apps->Manage Apps
OR click on the gear icon
* Search for Cisco ACI App/Add-on
* Click on 'Update to <version>'
under Version Column.
Please follow the below steps.
'-stats'
is present, then perform the following steps.Restart Splunk
Follow below steps if you are collecting data using Certificate Based Authentication
in v4.3.0 OR v4.4.0 and Upgrading Add-on to v5.0.0
You need to convert your Private key to RSA Private key by running following command in cmd.
Enable all the scripted inputs.
This section provides the steps to uninstall App from a standalone Splunk platform installation.
(Optional) If you want to remove data from Splunk database, you can use the below Splunk CLI clean command to remove indexed data from an app before deleting the app.
Delete the app and its directory. The app and its directory are typically located in the folder $SPLUNK_HOME/etc/apps/<appname> or run the following command in the CLI:
You may need to remove user-specific directories created for your app by deleting any files found here: $SPLUNK_HOME/bin/etc/users/*/<appname>
Restart the Splunk platform. You can navigate to Settings -> Server controls and click the restart button in Splunk web UI or use the following Splunk CLI command to restart Splunk:
The tabs for the above case is explained below:
Configure APIC:
The different modes are:
Password Based Authentication
Certificate Based Authentication
openssl rsa -in <private_key>.key -out <rsa_private_key>.key
To setup APIC with Certificate based authentication, follow below given steps.
Remote User Based Authentication
The user needs to provide both Password and Domain Name of User specified.
To setup APIC with remote user based authentication, follow below given steps.
Configure MSO:
The different modes are:
Password Based Authentication
Remote User Based Authentication
Fetch Sites button:
By default SSL verification is enabled. If MSO or APIC Site is configured with Self Signed Certificate refer SSL Configuration section.
Follow below steps to disable the SSL verification entirely before configuring credentials through setup page:
verify_ssl
parameter to False
under stanza [fetch_sites_ssl]Note: Enable all the required scripted inputs if it's not already enabled to collect data.
The procedure to create a custom certificate for Cisco ACI for HTTPS Access is given in below link:
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_Configuring_Custom_Certificate_for_ACI_HTTPS_Access.html
To use the new certificate for connection to APIC/MSO from Splunk, follow the below steps:
If your script uses python2.7 for data collection:
If your script uses python3.7 for data collection:
Follow below steps to disable the SSL verification after configuring credentials through setup page:
For Password Based Authentication and Remote User Based Authentication:
For Certificate Based Authentication:
This app supports multiple APIC/MSO entries. Provide more ACI credentials through the setup screen. Configure a maximum of 5 APICs for better performance.
For Certificate Based Authentication, certificate name, and path to the private key will be stored in the app itself(local/cisco_aci_server_setup.conf).
The data collector script will fetch these credentials through the REST API to connect to the APIC.
APIC Hostname or IP address once configured to any 3 modes of authentication, cannot be configured through the remaining 2 modes of authentication.
Also, users can setup APIC either using any one of the three modes of authentication or all the three modes one by one but for different APICs.
Example: User can either setup only APIC1 using Password/Remote/Certificate Based Authentication.
OR
Users can setup APIC1 for Password Based Authentication, APIC2 for Remote User Based Authentication and APIC3 for Certificate Based Authentication.
Note: APIC Hostname or IP address once configured to any 3 modes of authentication, cannot be configured through the remaining 2 modes of authentication.
Whenever the user wants to change the credentials, he/she needs to remove the current entry from directory TA_cisco-ACI/local/passwords.conf or TA_cisco-ACI/local/cisco_aci_server_setup.conf first.
Restart Splunk. Provide the credentials through UI.
MSO Hostname or IP address once configured to any one of the modes of authentication, cannot be configured through the remaining 2 modes of authentication.
Also, users can setup MSO either using any one of the two modes of authentication or all the two modes one by one but for different MSOs.
Example: Users can either setup only MSO1 using Password Based Authentication.
OR
Users can setup MSO1 for Password Based Authentication and MSO2 for Remote User Based Authentication.
Whenever the user wants to change the credentials, he/she needs to remove the current entry from directory TA_cisco-ACI/local/passwords.conf first. Restart Splunk. Provide the credentials through UI.
Note: The hostname configured by APIC, cannot be re-configured for MSO and vice versa.
Example: If the user can only configure host1 for APIC and host2 for APIC and not host1 for both APIC and MSO.
User also needs to modify "default/inputs.conf" according to the following guidelines.
This file contains filename paths which are different based on your OS platform.
The app is configured out of the box to work for Unix/Linux/macOS systems.
If you are running this app on a Windows system, perform the following steps:
Copy the file "default/inputs.conf.WINDOWS" to "local/inputs.conf"
Following options are provided on the setup page under the tab "Configure Data Inputs" for modifying data inputs in inputs.conf:
* Type: Following eight types are allowed in Add-on
* authentication: To get the authentication information from the ACI environment.
* classInfo: To get the general information for all the MOs of given APIC classes.
* cloud: To get the details related objects for all the MOs of given APIC classes.
* health: To get the health and fault information for all the MOs of given APIC classes.
* fex: To get the health and fault information for all the MOs of given APIC classes.
* microsegment: To get the general information for all the MOs of given APIC classes.
* stats: To get the statistical data for all the MOs of given APIC classes.
* mso: To get details of various MSO endpoints.
* Arguments: Names of APIC classes for which data will be fetched (Names of classes are case-sensitive) or names MSO API endpoints.
* Interval: Time interval (in seconds) at which data inputs will be scheduled to collect data, once enabled.
* Enable/Disable: Status representing whether the data input is enabled or not.
* Actions:
* Edit:
* Add/Remove/Modify the existing APIC classes or MSO endpoints.
* Change time interval of data inputs.
* Change status of data inputs i.e. enabled/disabled.
* Click on Add button (under Actions).
* Delete
* This button will directly delete data input.
* Add New Button: It will add new data input in inputs.conf. Again, the user will have the choice for all actions stated above.
* Click on save button after making changes.
Note- Any change performed by the user will be reflected in default/inputs.conf and local/inputs.conf.
* The app data defaults to the 'main' index.
* If you need to specify a particular index for your APIC data, for ex. "apic",create an indexes.conf file [sample shown in ($SPLUNK_HOME/etc/apps/TA_cisco-ACI/default/indexes.conf.sample)]
* Once you specify your index, edit the inputs.conf file and add a line "index=[yourindex]" under each script stanza.
The main app dashboard can take some time before the data is returned which will populate some of the panels. A good test to see that you are receiving all of the data we expect is to run this search after several minutes:
index="<your index>" | stats count by sourcetype
If you don't see these sourcetypes, have a look at the messages output by the scripted input: collect.py. Here is a sample search that will show them:
index=_internal component="ExecProcessor" collect.py "ACI Error:" | table _time host log_level message
Troubleshooting MSO configuration:
You can also see the $SPLUNK_HOME/var/log/splunk/splunkd.log file to check if any error has occurred.
v 4.4.0 Release Notes:
* Fixed cloud vetting concerns
Version 4.3.0
* Remote User-based Authentication
* Certificate-based Authentication
* Functionality to edit inputs.conf from Setup Page
* CIM Mapping - Splunk CIM version supported - 4.13.0
* Bug Fixes
v4.2.4
- Login bug fix
v4.2.2
- New features and updates
- APIC Redundancy and HA
- Optimized data pull from APIC.
- APIC CPU and Memory monitoring
v4.2.3
- Login bug fix
v4.2.2
- New features and updates
- APIC Redundancy and HA
- Optimized data pull from APIC.
- APIC CPU and Memory monitoring
v4.2.2
- New features and updates
- APIC Redundancy and HA
- Optimized data pull from APIC.
- APIC CPU and Memory monitoring
v4.2.1
- New features and updates
- APIC Redundancy and HA
- Optimized data pull from APIC.
- APIC CPU and Memory monitoring
v4.2.0
- New features and updates
- APIC Redundancy and HA
- Optimized data pull from APIC.
- APIC CPU and Memory monitoring
Version 4.1 Updates (compatible with ACI app v4.1):
Updated scripts
Revised inputs.conf - script calls
Updated sample data files
For Technical Support: contact aci-splunk-app@cisco.com OR create a case with Cisco TAC.
All features existing in the version 4.0
Updated sample data files to reflect current APIC version data
Minor bug fixes
The features developed in this release include: *Multi-Pod integration * Micro-segmentation support * Supports multiple APIC's * Enabled SSL connection with APIC.
The features developed in this release include: * Supports multiple APIC's * Enabled SSL connection with APIC.
RELEASE NOTES
The features developed in this release include:
Migrating the existing Cisco ACI Add-on application for Splunk from using ACI Python SDK to ACI REST APIs.
Enabled SSL connection with APIC.
There is no impact on the existing Cisco ACI application due to the changes done in Cisco ACI Add-on.
RELEASE NOTES
The features developed in this release include:
Migrating the existing Cisco ACI Add-on application for Splunk from using ACI Python SDK to ACI REST APIs.
There is no impact on the existing Cisco ACI application due to the changes done in Cisco ACI Add-on.
The features developed in this release include:
Migrating the existing Cisco ACI Add-on application for Splunk from using ACI Python SDK to ACI REST APIs.
There is no impact on the existing Cisco ACI application due to the changes done in Cisco ACI Add-on.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.