All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cisco Security Suite App and Cisco ASA configuration in a distributed deployment

huck82
Engager
‎08-04-2014 10:02 AM

I'm currently installing the Cisco Security Suite App in a distributed deployment of Splunk. I installed the Cisco Security Suite app on my search head along with the required Splunk Add-on for Cisco ASA mentioned here >> http://docs.splunk.com/Documentation/AddOns/released/CiscoASA/Distributeddeployment#Install_on_the_S...

I also installed the Splunk Add-On for Cisco ASA on my indexer and created a custom index for the incoming data. I'm indexing Cisco data fine and can search it from the search head and the indexer. The only issue I'm having is that the dashboards in the Cisco Security Suite app work on the indexer, but not the search head. To get them to work on the search head I had to create an index on the search head and point it to the custom index on the indexer. That works, but I want to make sure that is correct. I want to make sure that I'm not double indexing data or causing double rolling of data between buckets having the index defined on two Splunk instances. According to the above URL it seems that the index has to be defined on the search head as well as the indexer as mentioned here >> "Important: The Add-on does not include an indexes.conf by default. If a new index was added to store the data referenced by this Add-on, Splunk recommends updating the common indexes.conf used on the search head to add a new index name. The index must be added to the search head for type-ahead functionality and to set Role access." Has anyone else run into this?

Reply

jconger
Splunk Employee
Splunk Employee
‎10-13-2014 02:23 PM

All of the searches for ASA start out with eventtype=cisco-firewall. By default, the cisco-firewall eventtype is defined as follows:

[cisco-firewall]
search = (sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm")

This assumes that the sourcetypes are in an index that is searched by default. So, you have 2 options:

  1. Make your custom index searchable by default.

  2. Modify eventtypes.conf to read as follows:

    [cisco-firewall]
    search = index=your_index (sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm")

Reply

pil321
Communicator
‎10-31-2014 11:54 AM

Thanks jconger. I was having the same issue and this worked like a charm!

0 Karma
Reply

bworrellZP
Communicator
‎08-17-2015 11:48 AM

How does this work if your indexer and search head are two different devices?

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎10-13-2014 02:13 PM

Hi, I believe that app mainly uses sourcetypes, so I would think that indexes searched by default is probably the setting that needs attention.

0 Karma
Reply
Get Updates on the Splunk Community!

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top