All Apps and Add-ons

Cisco Firewall Add-on - No Data

Explorer

I have installed both Cisco Security Suite and Cisco Firewall Add-On, I have UDP port excepting syslogs from an ASA with a souretype of cisco_firewall. I can view realtime data in Security Suite but the Cisco Firewall shows no results when I select Overview or Real Ti9me Dashboard.

The Overview inspect shows:

This search has completed and found 362 matching events. However, the transforming commands in the highlighted portion of the following search:

search eventtype="cisco_firewall" | bin _time span=5m | stats count by eventtype, src_ip, dest_ip, host,log_level_desc,event_desc, _time

over the time range:

3/14/12 3:00:00.000 AM – 3/14/12 3:00:00.000 PM

generated no results.

However if I select a time from the drop down or change the search to search eventtype="ciscofirewall" | bin _time span=5m results are disaplayed?

0 Karma

Motivator

sourcetype actually should be cisco_asa.

cisco_firewall is the eventtype search for %ASA OR %PIX OR %FWSM

sourcetype=cisco_firewall is only use for events pre-indexed as cisco_firewall sourcetype. Back-support community version <= 4.1.4

And by default the app should apply a sourcetype then there is no need to set a sourcetype.

But it might not be the reason of your issue.

0 Karma

Explorer

App setup wizard was used to create UDP Data Input and it did so with sourcetype blank. No results showed in suite or add on. I changed the data inputs source type to cisco_asa first so I have some data indexed this way but no results showed again, it was only after I changed source type to cisco_firewall that results showed. Also inspects show all failed searches are by event type but no event types exist in manager interface.

inspect examples
search eventtype="cisco_firewall" | bin _time span=5m
search eventtype=cisco_ips gc_score<0 | lookup geoip clientip as src_ip | bin _time span=5m

0 Karma