topic Re: Splunk Cisco Security Suite in Security

Splunk Cisco Security Suite

jgauthier — Thu, 17 Mar 2011 07:39:03 GMT

I noticed that Splunk for Cisco Security Suite is available and replaced the previous named product.

I removed the old product my apps, installed this one and restarted Splunk.

When I went to use the App, Splunk indicated the app was not set up. So, I went to the set up page, I see there is nothing to do, so I click "Save".

Then this error is presented:

"Your entry was not saved. The following error was reported: undefined."

Thanks for any help!

Re: Splunk Cisco Security Suite

dmitrii4splunk — Thu, 17 Mar 2011 08:14:25 GMT

Hi,

There should be a hyperlink on Setup page that will take you to version 1.0.0 of Cisco Security Suite (http://splunkbase.splunk.com/apps/All/4.x/Suite/app:Cisco+Security+Suite)
The error that you see should be benign.
What version of Splunk are you on?

-Dmitrii

Re: Splunk Cisco Security Suite

LukeMurphey — Thu, 17 Mar 2011 08:17:55 GMT

What version of Splunk are you using (e.g. 4.2 build 96430)?

Also, could you provide the build number of the Cisco Security Suite app? You can find the build number in the file at etc/apps/Splunk_CiscoSecuriySuite/default/app.conf under the install stanza:

[install]
state = enabled
is_configured = false
build = 96430

Re: Splunk Cisco Security Suite

jgauthier — Thu, 17 Mar 2011 21:34:42 GMT

Splunk 4.1.7 build 95063.
Security Suite:

build = 96705

I downloaded Splunk last week. I bet I need to be using 4.2. I'm not sure why I have 4.1!

Re: Splunk Cisco Security Suite

LukeMurphey — Fri, 18 Mar 2011 10:24:52 GMT

Do have any of the other Cisco apps or the MaxMind app installed?

I just tried the same version of the Cisco Security Suite on 4.1.7 with no apps installed and it worked fine for me. I'm wondering if some app or combination of apps triggers the problem.

Like dmitri4splunk said, that error is benign. Nevertheless, it would be nice if we could get that fixed.

Re: Splunk Cisco Security Suite

jgauthier — Fri, 18 Mar 2011 19:46:40 GMT

I upgraded to splunk 4.2 build 96430. The only other apps I have installed are Splunk for Nagios, the Cisco for Firewalls (for the extraction bits), and the splunk license usage.

I did verify the error appears with this build, too.
Understanding that its benign, how do I use the app? Everytime I go to the app, it tells me it needs to be configured. So, I try to save, and an endless circle ensues!

Thanks!

Re: Splunk Cisco Security Suite

LukeMurphey — Fri, 18 Mar 2011 22:54:32 GMT

You can bypass the setup screen by setting is_configured to true in app.conf. To do so, open etc/apps/Splunk_CiscoSecuriySuite/local/app.conf (or create it if it does not exist) and enter the following:

[install]
is_configured = true

You may need to restart Splunk after editing the config file. Splunk won't force you to view the setup screen once it recognizes the app is considered configured.

Re: Splunk Cisco Security Suite

LukeMurphey — Fri, 18 Mar 2011 22:55:40 GMT

Could you be so kind to let me know what platform (Linuz, Mac, etc.) you are on? I want to replicate the issue so that I can fix it and am wondering if this retains to a particular platform.

Re: Splunk Cisco Security Suite

jgauthier — Fri, 18 Mar 2011 23:41:00 GMT

Absolutely. This is a windows 2008 R2 x64 server.
I am willing to work with you to identify/resolve if needed. I am pretty flexible.

Re: Splunk Cisco Security Suite

lhy719 — Tue, 12 Apr 2011 18:08:14 GMT

I encounter a similar problem. I followed instruction on 'Setup screen example using a custom endpoint', and get the same error message when I save configuration changes on Web UI.

Content of my restmap.conf,

[admin:myendpoint] match=/appset members=appsettings [admin_external:appsettings] handlertype = python handlerfile = App_python_handler.py handleractions = list, edit

Content of my App_python_handler.py,

import splunk.admin as admin import splunk.entity as en class ConfigApp(admin.MConfigHandler): def setup(self): if self.requestedAction == admin.ACTION_EDIT: for arg in ['field_1', 'field_2_boolean', 'field_3']: self.supportedArgs.addOptArg(arg) def handleList(self, confInfo): confDict = self.readConf("appsettings") if None != confDict: for stanza, settings in confDict.items(): for key, val in settings.items(): if key in ['field_2_boolean']: if int(val) == 1: val = '0' else: val = '1' if key in ['field_1'] and val in [None, '']: val = '' confInfo[stanza].append(key, val) def handleEdit(self, confInfo): name = self.callerArgs.id args = self.callerArgs if int(self.callerArgs.data['field_3'][0]) < 60: self.callerArgs.data['field_3'][0] = '60' if int(self.callerArgs.data['field_2_boolean'][0]) == 1: self.callerArgs.data['field_2_boolean'][0] = '0' else: self.callerArgs.data['field_2_boolean'][0] = '1' if self.callerArgs.data['field_1'][0] in [None, '']: self.callerArgs.data['field_1'][0] = ''
self.writeConf('appsettings', 'setupentity', self.callerArgs.data) admin.init(ConfigApp, admin.CONTEXT_NONE)