- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cisco Security Suite App and Cisco ASA configuration in a distributed deployment
I'm currently installing the Cisco Security Suite App in a distributed deployment of Splunk. I installed the Cisco Security Suite app on my search head along with the required Splunk Add-on for Cisco ASA mentioned here >> http://docs.splunk.com/Documentation/AddOns/released/CiscoASA/Distributeddeployment#Install_on_the_S...
I also installed the Splunk Add-On for Cisco ASA on my indexer and created a custom index for the incoming data. I'm indexing Cisco data fine and can search it from the search head and the indexer. The only issue I'm having is that the dashboards in the Cisco Security Suite app work on the indexer, but not the search head. To get them to work on the search head I had to create an index on the search head and point it to the custom index on the indexer. That works, but I want to make sure that is correct. I want to make sure that I'm not double indexing data or causing double rolling of data between buckets having the index defined on two Splunk instances. According to the above URL it seems that the index has to be defined on the search head as well as the indexer as mentioned here >> "Important: The Add-on does not include an indexes.conf by default. If a new index was added to store the data referenced by this Add-on, Splunk recommends updating the common indexes.conf used on the search head to add a new index name. The index must be added to the search head for type-ahead functionality and to set Role access." Has anyone else run into this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


All of the searches for ASA start out with eventtype=cisco-firewall. By default, the cisco-firewall eventtype is defined as follows:
[cisco-firewall]
search = (sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm")
This assumes that the sourcetypes are in an index that is searched by default. So, you have 2 options:
- Make your custom index searchable by default.
Modify eventtypes.conf to read as follows:
[cisco-firewall]
search = index=your_index (sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks jconger. I was having the same issue and this worked like a charm!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How does this work if your indexer and search head are two different devices?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Hi, I believe that app mainly uses sourcetypes, so I would think that indexes searched by default is probably the setting that needs attention.
