Has anyone encountered this error and know the fix? I have the latest build of Splunk, added the Cisco ASA, ESA and SourceFire add on apps and the main Cisco Security Suite prompts me to go through a setup... I check these 3 packages and I get this error in a red bar:
Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/Splunk_CiscoSecuritySuite/css_setup/css_setup_endpoint/default
I am having the same issue.
Did anyone found a woraround?
Thanks
Is this a Windows install by any chance? I encountered this on two Splunk 6.2.3 windows servers. I doubt it happens on NIX.
I tried (unsuccessfully) to repro using latest (& clean) Splunk (6.2.2), ASA https://splunkbase.splunk.com/app/1620/, ESA https://splunkbase.splunk.com/app/1761/, and SourceFire https://splunkbase.splunk.com/app/1808.
Still, you may be able to workaroudn the issue by updating 3 files manually...
Create $SPLUNK_HOME/etc/apps/Splunk_CiscoSecuritySuite/local/app.conf
[install]
is_configured = 1
Create $SPLUNK_HOME/etc/apps/Splunk_CiscoSecuritySuite/local/css_views.conf
[default]
asa = 1
csf = 1
esa = 1
Create $SPLUNK_HOME/etc/apps/Splunk_CiscoSecuritySuite/local/data/ui/nav/default.xml
<nav color="#29688A">
<collection label="Splunk for Cisco Security">
<view default="true" name="cisco_security_overview" />
<view name="search_ip_profile" />
<view name="user_tracking" />
<view name="search" />
<divider />
<collection label="Searches & Reports">
<saved source="unclassified" view="search" />
</collection>
<collection label="Dashboards">
<view source="unclassified" />
</collection>
</collection>
<collection label="Email Security">
<view name="esa_overview" />
<divider />
<view name="esa_performance" />
<view name="esa_search" />
<divider />
<collection label="Email Searches & Reports">
<saved match="Cisco ESA" source="all" view="search" />
</collection>
</collection>
<collection label="Network Security">
<view name="asa_overview" />
<view name="asa_search" />
<divider />
<collection label="Sourcefire IPS IDS">
<view name="sourcefire_estreamer_summary" />
<divider />
<view name="sourcefire_sensor_summary" />
<view name="sourcefire_policy_summary" />
<view name="sourcefire_host_summary" />
<view name="sourcefire_flow_summary" />
<divider />
<view name="sourcefire_ids_event_summary" />
<view name="sourcefire_file_event_summary" />
<view name="sourcefire_correlation_summary" />
</collection>
<divider />
<divider />
<collection label="Firewall Searches & Reports">
<saved match="Cisco ASA" source="all" view="search" />
</collection>
<collection label="IPS Searches & Reports">
<saved match="Cisco IPS" source="all" view="search" />
</collection>
</collection>
<collection label="Help">
<view name="getting_started" />
<collection label="Documentation">
<view name="upgrading" />
<a href="http://docs.splunk.com/Documentation/AddOns/latest/CiscoASA/Description">Cisco ASA Configuration</a>
<a href="http://docs.splunk.com/Documentation/AddOns/latest/CiscoWSA/About">Cisco WSA Configuration</a>
<a href="http://docs.splunk.com/Documentation/AddOns/latest/CiscoESA/About">Cisco ESA Configuration</a>
<a href="http://docs.splunk.com/Documentation/AddOns/latest/CiscoISE/About">Cisco ISE Configuration</a>
<a href="http://docs.splunk.com/Documentation/AddOns/latest/CiscoIPS/About">Cisco IPS Configuration</a>
<view name="sourcefire_documentation" />
</collection>
<a href="/manager/Splunk_CiscoSecuritySuite/apps/local/Splunk_CiscoSecuritySuite/setup?action=edit&redirect_override=/app/Splunk_CiscoSecuritySuite/cisco_security_overview">Setup</a>
</collection>
</nav>
...and the restart Splunk.
Great Thanks
Great stuff thanks !
Hi, I'm also getting the error "In handler 'localapps': Error while posting to url=/servicesNS/nobody/Splunk_CiscoSecuritySuite/css_setup/css_setup_endpoint/default" (Splunk 6.2.2, CSS 3.1.1).
I only want to enable ASA and IPS so would I need a different default.xml to the one above?
If you can't live with the default navigation menu, Just remove the collections for:
By the way you will need the Splunk Add-on for Cisco ESA installed on your search head to get rid of an annoying message about some eventtypes not found even if you don't use ESA.
Thanks, I added the XML as is, and might change it later.
I am getting other error messages when searching;
The lookup table 'cisco_action_lookup' does not exist. It is referenced by configuration 'cisco:asa'.
The lookup table 'cisco_action_lookup' does not exist. It is referenced by configuration 'cisco:fwsm'.
The lookup table 'cisco_action_lookup' does not exist. It is referenced by configuration 'cisco:pix'.
The lookup table 'cisco_asa_change_analysis_lookup' does not exist. It is referenced by configuration 'cisco:asa'.
The lookup table 'cisco_asa_ids_lookup' does not exist. It is referenced by configuration 'cisco:asa'.
The lookup table 'cisco_asa_ids_lookup' does not exist. It is referenced by configuration 'cisco:pix'.
The lookup table 'cisco_asa_intrusion_severity_lookup' does not exist. It is referenced by configuration 'cisco:asa'.
The lookup table 'cisco_asa_intrusion_severity_lookup' does not exist. It is referenced by configuration 'cisco:fwsm'.
The lookup table 'cisco_asa_intrusion_severity_lookup' does not exist. It is referenced by configuration 'cisco:pix'.
The lookup table 'cisco_asa_syslog_severity_lookup' does not exist. It is referenced by configuration 'cisco:asa'.
The lookup table 'cisco_asa_vendor_class_lookup' does not exist. It is referenced by configuration 'cisco:asa'.
The lookup table 'cisco_ips_vendor_info_lookup' does not exist. It is referenced by configuration 'cisco:ips:syslog'.
Any idea what's going wrong here?
Hmpf try changing the css_views.conf file and set the parts you don't need to 0. Otherwise you may have to add all the add-ons 😕
I changed the css_views.conf to asa = 1, ips = 1, csf = 0, esa = 0, wsa = 0, ise = 0 but still get the errors. I added the remaining add-ons so current versions are;
Splunk_CiscoSecuritySuite 3.1.1
Splunk_TA_cisco-asa 3.2.3
Splunk_TA_cisco-esa 1.2.0
Splunk_TA_cisco-ips 2.1.4
Splunk_TA_cisco-wsa 3.2.1
Splunk_TA_sourcefire 3.3.0
If I disable Splunk_TA_cisco-asa most of the errors go away, but I guess it needs to be enabled?
I'm not able to re-produce this on my system. Can you provide the link to the SourceFire add-on you're using? There are 2 different options presently available, maybe we're using different ones.
I am using this add on app for SourceFire: https://splunkbase.splunk.com/app/1808/, but I get this on trying to only enable the ASA or ESA add-on and this is a clean install. Odd, that I can install the apps, but the setup produces this error out of the box. Frustrating... 😞
@csimms This might be a silly question, but did you restart splunkd after installation? I installed a fresh copy this morning and although I didn't read the errors I did have the similar red bar. In my instance it is because the application requires a splunkd restart.
Yes I restarted splunk. I'll reach out to splunk support for assistance, we have a paid enterprise level, I assume they can help?
I can't find the app.conf file you mention below in that directory.