topic Re: Splunk security suite installation in Installation

Splunk security suite installation

jamesy281 — Thu, 30 Oct 2014 10:24:17 GMT

Hey there,

I need some help with the Cisco Security suite. we are running a distributed environment which consists of 1 X master, 1x serach head and two indexers. The app was installed using the WEB ui by my predecessor along with the SA and TA. Our ASA is directed to one of the indexres via syslog UDP 514 and I can search this fine. The dashboard was showing no data so I followed a ton of KB articles and made changes as suggested I even installed the TA on both indexers however after rebooting I just got a bunch of errors. I ended up just uninstalling all the components completely. my question is what is the correct installation procedure in a distributed environment such as mine? all the documents say install it in $Splunkhome..., etc but not on what servers it is required. Do I simply need to install on the search head and copy the apps to the apps directory and that is it or is it required on the indexers also?

Any help is appreciated.

Re: Splunk security suite installation

frmaasdam — Thu, 30 Oct 2014 16:17:17 GMT

You have to install the Suite, your TA's and SA on the search head.
You also have to install your SA's (yust copy that part from your Suite app directory) as separate apps in $SPLUNK-HOME/etc/apps/

Re: Splunk security suite installation

jamesy281 — Thu, 30 Oct 2014 16:38:46 GMT

Hi frmassdam,

Thanks for the reply. This is the original configuration that I had but the dashboard didn't show any data.

Re: Splunk security suite installation

frmaasdam — Thu, 30 Oct 2014 17:01:05 GMT

Another remark. Check your sourcetype! So far I know it has been changed from cisco-asa ? to cisco:asa

Re: Splunk security suite installation

frmaasdam — Thu, 30 Oct 2014 17:02:59 GMT

Of course you can check within your dashboard the search that has been done and failed.

Re: Splunk security suite installation

jamesy281 — Thu, 30 Oct 2014 17:31:20 GMT

Is the sourcetype located in the props.conf file within the main app or under the TA/ SA?

Re: Splunk security suite installation

frmaasdam — Mon, 28 Sep 2020 18:02:54 GMT

Standard files from your app:

SA-cisco-asa/default/eventtypes.conf:search = (sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm")

SA-cisco-asa/default/props.conf:[cisco:asa]

Splunk_CiscoSecuritySuite/lookups/cisco_device_info.csv:cisco:asa,cisco:asa,Firewall,network,Cisco,ASA,Adaptive Security Appliance

Splunk_TA_cisco-asa/default/eventgen.conf:sourcetype=cisco:asa

Splunk_TA_cisco-asa/default/eventtypes.conf:search = (sourcetype="cisco:asa" OR sourcetype="cisco:pix") message_id="4000*"

Splunk_TA_cisco-asa/default/props.conf:sourcetype = cisco:asa
Splunk_TA_cisco-asa/default/props.conf:[cisco:asa]

Splunk_TA_cisco-asa/default/transforms.conf:FORMAT = sourcetype::cisco:asa

Splunk_TA_cisco-asa/lookups/cisco_asa_ids_lookup.csv:cisco:asa,network

Our inputfiles from our UFW:

WG-CINP010_il_netwerk_fwdsyslog/default/inputs.conf:sourcetype = cisco:asa
WG-CINP010_il_netwerk_fwdsyslog/default/inputs.conf:sourcetype = cisco:asa

Re: Splunk security suite installation

jamesy281 — Mon, 28 Sep 2020 18:02:57 GMT

Thanks,

I will install fresh with the most recent version on the search head. I have downloaded the Cisco Security Suite and the splunk add on for ASA, when I extract it it is listed as Splunk_TA_cisco_asa. is there an additional component (SA)? I can't see that on the site.

Re: Splunk security suite installation

frmaasdam — Thu, 30 Oct 2014 18:37:37 GMT

You can find your SA in Splunk_CiscoSecuritySuite/appserver/addons
You have to copy the desired SA directory to $SPLUNK-HOME/etc/apps
This will enable the SA asa dashboard in the SecuritySuite dashboard

Re: Splunk security suite installation

frmaasdam — Fri, 31 Oct 2014 10:53:28 GMT

Do you share the solution when you have it working again?

Re: Splunk security suite installation

jamesy281 — Fri, 31 Oct 2014 10:56:38 GMT

I will indeed, thanks again.