Ensure that you have:
- The sourcetype is set to: cisco:stealthwatch:alert
- The log format on SMC is set properly and logging is configured in StealthWatch rules.
1. Highlight Enterprise in the SMC Java Applet
2. Navigate to Configuration > Response Management.
3. Click Syslog Formats.
4. Use the table below to fill in the required fields
Name: Splunk
Enabled: Yes
Facility: 16 – Local Use 0 (local0)
Severity: 6 – Informational: Informational Messages
MSG Part: Use the message format needed for the add-on
Click OK.
6. Click Actions.
7. Use the table below to fill in the required fields.
Name: Splunk
Enabled: Yes
IP Adress:
Port: 514
Format: Splunk
8. Click OK.
9. Click Rules.
10. Change the action of your rules and add Splunk
This add-one is used to consume Cisco StealthWatch Alarms, and is CIM compatible. This is added by the author (Nadhem AlFardan) to address the numerous requests for having a CIM compatible package for StealthWatch. This version addresses StealthWatch alarms.
The Cisco SMC log format "must" be configured as follows:
Lancope|Stealthwatch|Notification: alarm_desc=”{alarm_type_description}” details=”{details}” dest={target_ip} src={source_ip} start={start_active_time} end={end_active_time} category={alarm_category_name} Alarm_ID={alarm_id} Source_HG={source_host_group_names} Target_HG={target_host_group_names} Source_HostSnapshot={source_url} Target_HostSnapshot={target_url} dest_port={port} transport={protocol} FC_Name={device_name} FC_IP={device_ip} Domain={domain_id} signature={alarm_type_name} vendor_severity={alarm_severity_name} severity_id={alarm_severity_id} alarm_type={alarm_type_id}
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.