https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Security-Suite-not-populating/m-p/333357#M39991 <P>One can do that if your experiencing heavy traffic -depending on the number of devices reporting in - I have never had to go that route though. I will highly recommend using TCP rather than UDP though, as it is connection oriented rather than connection less - makes for eaiser troubleshooting too </P> Wed, 26 Jul 2017 16:01:37 GMT klaxdal 2017-07-26T16:01:37Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Security-Suite-not-populating/m-p/333349#M39983 <P>I've read a couple of posts/answers here.</P> <P>What I did.</P> <P>created a local directory on the TA_cisco-asa app and copied eventtypes, transforms, and props. Upon checking on the config files, contrary to the answers on the posted questions here, they were already commented out by default. *the [source::udp::514]</P> <P>Upon checking on the dashboards, they were looking for eventtype=cisco-firewall</P> <P>checked eventtypes.conf and no cisco-firewall defined like really? why? and i thought add-ons will require minimal to no configuration already. only enabling some of the metrics.</P> <P>current setup is splunk listening to 514 with the sourcetype=syslog</P> <P>Thoughts?</P> Wed, 26 Jul 2017 06:33:16 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Security-Suite-not-populating/m-p/333349#M39983 lloydknight 2017-07-26T06:33:16Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Security-Suite-not-populating/m-p/333350#M39984 <P>Pretty sure your source type is incorrect . </P> <P>Check the index to ensure you are receiving events from the ASA </P> Wed, 26 Jul 2017 12:31:02 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Security-Suite-not-populating/m-p/333350#M39984 klaxdal 2017-07-26T12:31:02Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Security-Suite-not-populating/m-p/333351#M39985 <P>Source type should be set to manual - cisco:asa or cisco_asa ( I forget off hand which one works ) start with cisco:asa</P> <P>You may also want to output the syslogs via TCP as its more reliable and configure a separate index for your Cisco products ..... see link </P> <P><A href="https://answers.splunk.com/answers/174583/cisco-security-suite-add-on-for-cisco-asa-do-i-nee.html">https://answers.splunk.com/answers/174583/cisco-security-suite-add-on-for-cisco-asa-do-i-nee.html</A></P> Wed, 26 Jul 2017 12:35:10 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Security-Suite-not-populating/m-p/333351#M39985 klaxdal 2017-07-26T12:35:10Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Security-Suite-not-populating/m-p/333352#M39986 <P>Unless you make any changes to the TA/app you download from splunkbase or you add some customizations, you don't need a local directory.<BR /> From the problem you explained, I believe you are looking into the dashboards in the security suite app - <A href="https://splunkbase.splunk.com/app/525/">https://splunkbase.splunk.com/app/525/</A>. <BR /> If you check the default/eventtypes.conf - you will see the eventtype "cisco-firewall".<BR /> Since you are getting the events with the source type "syslog", You can download the TA for cisco- ASA here. <BR /> <A href="https://splunkbase.splunk.com/app/1620/">https://splunkbase.splunk.com/app/1620/</A>. <BR /> This one transforms your source type into cisco:asa which the app is looking for.</P> Wed, 26 Jul 2017 14:58:32 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Security-Suite-not-populating/m-p/333352#M39986 bheemireddi 2017-07-26T14:58:32Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Security-Suite-not-populating/m-p/333353#M39987 <P>Yes you're right. I precreated the index with the sourcetype as syslog before the integration. :))</P> <P>If i will have to populate the other dashboards in cisco suite, say for example the cisco esa or wsa, should I create another index and define a new port for logging as 514 is exclusively for asa?</P> <P>Many thanks btw, i will try this by tomorrow and will accept this answer if it works</P> Wed, 26 Jul 2017 15:18:44 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Security-Suite-not-populating/m-p/333353#M39987 lloydknight 2017-07-26T15:18:44Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Security-Suite-not-populating/m-p/333354#M39988 <P>No need to create another index . I have set this up many times - outputting all my CISCO devices IPS / ASA /WSA to the same index . </P> <P>They can use the same port however you want to be aware of the amount of traffic flow - which my require you to break out the traffic on various ports e.g. TCP 514 , TCP 515 etc and index to a common index to keep things straight ( my personal preference ) such as index=cisco </P> <P>You should be able to simpley change the source type on your current configuration by editing the data input to reflect cisco:asa </P> <P>BTW - getting the IPS data in can be a challenge due to issues with the python script and SSL - but we can cross that bridge when you get there </P> Wed, 26 Jul 2017 15:26:59 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Security-Suite-not-populating/m-p/333354#M39988 klaxdal 2017-07-26T15:26:59Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Security-Suite-not-populating/m-p/333355#M39989 <P>So meaning, i should define different ports for every new cisco device with the same index right but with different correct sourcetypes right?</P> Wed, 26 Jul 2017 15:30:42 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Security-Suite-not-populating/m-p/333355#M39989 lloydknight 2017-07-26T15:30:42Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Security-Suite-not-populating/m-p/333356#M39990 <P>Hello, thank you for the comment.i believe klaxdal already pinpointed my problem which is the sourcetype not being defined properly. Though you're right about the local folder since i didn't change any conf files so no need for the local</P> Wed, 26 Jul 2017 15:36:57 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Security-Suite-not-populating/m-p/333356#M39990 lloydknight 2017-07-26T15:36:57Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Security-Suite-not-populating/m-p/333357#M39991 <P>One can do that if your experiencing heavy traffic -depending on the number of devices reporting in - I have never had to go that route though. I will highly recommend using TCP rather than UDP though, as it is connection oriented rather than connection less - makes for eaiser troubleshooting too </P> Wed, 26 Jul 2017 16:01:37 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Security-Suite-not-populating/m-p/333357#M39991 klaxdal 2017-07-26T16:01:37Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Security-Suite-not-populating/m-p/333358#M39992 <P>hello, klaxdal. so I have already set the sourcetype as cisco:asa but this will only limit me to monitor the cisco:asa sourcetypes. I need all the cisco logs to automatically populate all the dashboards in this app.</P> <P>check this link<BR /> <A href="https://answers.splunk.com/answers/188473/what-sourcetype-should-i-set-ciscoasa-switch-data.html">https://answers.splunk.com/answers/188473/what-sourcetype-should-i-set-ciscoasa-switch-data.html</A></P> <P>it says their that sourcetype=syslog will automatically redefined with their respective sourcetype. thoughts?</P> Tue, 01 Aug 2017 08:03:58 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Security-Suite-not-populating/m-p/333358#M39992 lloydknight 2017-08-01T08:03:58Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Security-Suite-not-populating/m-p/333359#M39993 <P>Have you installed the other TAs required for the APP and additional source types ? </P> <P>I have never has to specify anything other than CISCO:ASA and the index in the UDP data setup . </P> <P>KL</P> Tue, 01 Aug 2017 16:10:53 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Security-Suite-not-populating/m-p/333359#M39993 klaxdal 2017-08-01T16:10:53Z