All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Cisco Firewall Addon - no input, no setup option in Manager

cqmitre
Engager
‎07-02-2013 08:10 AM

I have the Splunk for Cisco Firewalls Addon installed, and I'm trying to get data into it. The Readme has this line in it for configuring the data inputs. (I'm using version 2.0)

"Click Manager > Apps > Cisco Firewalls > "Set up"

However, when I go there, I do not see a "Set up" option at all. These are the only options that I see:

Global | Permissions Enabled Launch app | Edit properties | View objects | View details on Splunkbase

I'm assuming that the install docs are just out of date, but I also tried doing it manually by creating inputs.conf and using the following:

[udp://2550]
disabled = false

I restarted Splunk after making that change but I am not getting any data. I have been using that port before installing the Addon and I can verify that log data is still coming into it - Splunk just isn't getting it.

What am I missing? Any insight would be appreciated. Thanks!

Reply

pstraw
Explorer
‎11-12-2013 12:28 PM

I ran into the same problem with Cisco Security Suite v2.0 and Splunk for Cisco Firewalls v2.0 (build 100490). According to the App pages, v2.0 of Cisco Apps only support Splunk versions 4 thru 5. Guess we need to wait till Splunk v6 is supported.

0 Karma
Reply

hengunde
Engager
‎07-02-2013 05:11 PM

I am having just the same issues on a Windows 7 plattform. There is no "setup" option anywhere, so I also tried to manually creates the file (C:\Program Files\Splunk\etc\apps\Splunk_CiscoFirewalls\local\inputs.conf) and used the default syslog port (udp/514). Still no joy... 😞

Reply

jonahcofer
Engager
‎07-02-2013 08:52 AM

When you say you edited the inputs.conf, was it the main splunk inputs configuration file or was it the inputs.conf for the cicso_firewalls app itself?

If you go to your splunk directories in program files and navigate to \splunk\etc\apps\Splunk_CiscoFirewalls\local, you will see the inputs.conf directly associated with the app. Open that and the default is [udp://514]. Change that to the port that you listed above and restart Splunk again. Since you're forwarding over 2550, the app will start to parse those logs based on the source and you should start to see results for sourcetype="cisco_asa" in your search.

0 Karma
Reply

cqmitre
Engager
‎07-02-2013 09:48 AM

Thanks for the reply!

When I say inputs.conf, I'm talking about the one for the App itself, in the \local folder. One thing I just found - I made the edits to the file, verified that they were there, and once I restarted Splunk the file is now empty. (Note, I'm running on Ubuntu).

root@splunk:/opt/splunk/etc/apps/Splunk_CiscoFirewalls/local# cat inputs.conf
[udp://2550]
disabled = false

root@splunk:/opt/splunk/etc/apps/Splunk_CiscoFirewalls/local# /opt/splunk/bin/splunk restart
(removed startup bits)
root@splunk:/opt/splunk/etc/apps/Splunk_CiscoFirewalls/local# cat inputs.conf

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...