All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cisco Security Suite App and Cisco ASA configuration in a distributed deployment

huck82
Engager
‎08-04-2014 10:02 AM

I'm currently installing the Cisco Security Suite App in a distributed deployment of Splunk. I installed the Cisco Security Suite app on my search head along with the required Splunk Add-on for Cisco ASA mentioned here >> http://docs.splunk.com/Documentation/AddOns/released/CiscoASA/Distributeddeployment#Install_on_the_S...

I also installed the Splunk Add-On for Cisco ASA on my indexer and created a custom index for the incoming data. I'm indexing Cisco data fine and can search it from the search head and the indexer. The only issue I'm having is that the dashboards in the Cisco Security Suite app work on the indexer, but not the search head. To get them to work on the search head I had to create an index on the search head and point it to the custom index on the indexer. That works, but I want to make sure that is correct. I want to make sure that I'm not double indexing data or causing double rolling of data between buckets having the index defined on two Splunk instances. According to the above URL it seems that the index has to be defined on the search head as well as the indexer as mentioned here >> "Important: The Add-on does not include an indexes.conf by default. If a new index was added to store the data referenced by this Add-on, Splunk recommends updating the common indexes.conf used on the search head to add a new index name. The index must be added to the search head for type-ahead functionality and to set Role access." Has anyone else run into this?

Reply

jconger
Splunk Employee
Splunk Employee
‎10-13-2014 02:23 PM

All of the searches for ASA start out with eventtype=cisco-firewall. By default, the cisco-firewall eventtype is defined as follows:

[cisco-firewall]
search = (sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm")

This assumes that the sourcetypes are in an index that is searched by default. So, you have 2 options:

  1. Make your custom index searchable by default.

  2. Modify eventtypes.conf to read as follows:

    [cisco-firewall]
    search = index=your_index (sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm")

Reply

pil321
Communicator
‎10-31-2014 11:54 AM

Thanks jconger. I was having the same issue and this worked like a charm!

0 Karma
Reply

bworrellZP
Communicator
‎08-17-2015 11:48 AM

How does this work if your indexer and search head are two different devices?

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎10-13-2014 02:13 PM

Hi, I believe that app mainly uses sourcetypes, so I would think that indexes searched by default is probably the setting that needs attention.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...