All Apps and Add-ons

Cisco Security Suite Setup Errors - Encountered the following error while trying to update: In handler "localapps': Error while posting to url....

csimms
Explorer

Has anyone encountered this error and know the fix? I have the latest build of Splunk, added the Cisco ASA, ESA and SourceFire add on apps and the main Cisco Security Suite prompts me to go through a setup... I check these 3 packages and I get this error in a red bar:

Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/Splunk_CiscoSecuritySuite/css_setup/css_setup_endpoint/default

Tags (1)

sec_team_albara
New Member

I am having the same issue.
Did anyone found a woraround?
Thanks

0 Karma

mikaelbje
Motivator

Is this a Windows install by any chance? I encountered this on two Splunk 6.2.3 windows servers. I doubt it happens on NIX.

0 Karma

bwooden
Splunk Employee
Splunk Employee

I tried (unsuccessfully) to repro using latest (& clean) Splunk (6.2.2), ASA https://splunkbase.splunk.com/app/1620/, ESA https://splunkbase.splunk.com/app/1761/, and SourceFire https://splunkbase.splunk.com/app/1808.

Still, you may be able to workaroudn the issue by updating 3 files manually...

Create $SPLUNK_HOME/etc/apps/Splunk_CiscoSecuritySuite/local/app.conf

[install]
is_configured = 1

Create $SPLUNK_HOME/etc/apps/Splunk_CiscoSecuritySuite/local/css_views.conf

[default]
asa = 1
csf = 1
esa = 1

Create $SPLUNK_HOME/etc/apps/Splunk_CiscoSecuritySuite/local/data/ui/nav/default.xml

<nav color="#29688A">
    <collection label="Splunk for Cisco Security">
        <view default="true" name="cisco_security_overview" />
        <view name="search_ip_profile" />
        <view name="user_tracking" />
        <view name="search" />
        <divider />
        <collection label="Searches &amp; Reports">
            <saved source="unclassified" view="search" />
        </collection>
        <collection label="Dashboards">
            <view source="unclassified" />
        </collection>
    </collection>

    <collection label="Email Security">
        <view name="esa_overview" />
        <divider />
        <view name="esa_performance" />
        <view name="esa_search" />
        <divider />
        <collection label="Email Searches &amp; Reports">
            <saved match="Cisco ESA" source="all" view="search" />
        </collection>
    </collection>

    <collection label="Network Security">
        <view name="asa_overview" />
        <view name="asa_search" />
        <divider />
        <collection label="Sourcefire IPS IDS">
            <view name="sourcefire_estreamer_summary" />
            <divider />
            <view name="sourcefire_sensor_summary" />
            <view name="sourcefire_policy_summary" />
            <view name="sourcefire_host_summary" />
            <view name="sourcefire_flow_summary" />
            <divider />
            <view name="sourcefire_ids_event_summary" />
            <view name="sourcefire_file_event_summary" />
            <view name="sourcefire_correlation_summary" />
        </collection>

        <divider />
        <divider />
        <collection label="Firewall Searches &amp; Reports">
            <saved match="Cisco ASA" source="all" view="search" />
        </collection>
        <collection label="IPS Searches &amp; Reports">
            <saved match="Cisco IPS" source="all" view="search" />
        </collection>
    </collection>

    <collection label="Help">
        <view name="getting_started" />
        <collection label="Documentation">
            <view name="upgrading" />
            <a href="http://docs.splunk.com/Documentation/AddOns/latest/CiscoASA/Description">Cisco ASA Configuration</a>
            <a href="http://docs.splunk.com/Documentation/AddOns/latest/CiscoWSA/About">Cisco WSA Configuration</a>
            <a href="http://docs.splunk.com/Documentation/AddOns/latest/CiscoESA/About">Cisco ESA Configuration</a>
            <a href="http://docs.splunk.com/Documentation/AddOns/latest/CiscoISE/About">Cisco ISE Configuration</a>
            <a href="http://docs.splunk.com/Documentation/AddOns/latest/CiscoIPS/About">Cisco IPS Configuration</a>
            <view name="sourcefire_documentation" />
        </collection>
        <a href="/manager/Splunk_CiscoSecuritySuite/apps/local/Splunk_CiscoSecuritySuite/setup?action=edit&amp;redirect_override=/app/Splunk_CiscoSecuritySuite/cisco_security_overview">Setup</a>
    </collection>
</nav>

...and the restart Splunk.

Tags (1)

dinavorn
Loves-to-Learn

Great Thanks

0 Karma

ryantzj
Explorer

Great stuff thanks !

0 Karma

Colin_Y
New Member

Hi, I'm also getting the error "In handler 'localapps': Error while posting to url=/servicesNS/nobody/Splunk_CiscoSecuritySuite/css_setup/css_setup_endpoint/default" (Splunk 6.2.2, CSS 3.1.1).

I only want to enable ASA and IPS so would I need a different default.xml to the one above?

0 Karma

mikaelbje
Motivator

If you can't live with the default navigation menu, Just remove the collections for:

  • Sourcefire IPS IDS
  • Email Security

By the way you will need the Splunk Add-on for Cisco ESA installed on your search head to get rid of an annoying message about some eventtypes not found even if you don't use ESA.

0 Karma

Colin_Y
New Member

Thanks, I added the XML as is, and might change it later.

I am getting other error messages when searching;
The lookup table 'cisco_action_lookup' does not exist. It is referenced by configuration 'cisco:asa'.

The lookup table 'cisco_action_lookup' does not exist. It is referenced by configuration 'cisco:fwsm'.

The lookup table 'cisco_action_lookup' does not exist. It is referenced by configuration 'cisco:pix'.

The lookup table 'cisco_asa_change_analysis_lookup' does not exist. It is referenced by configuration 'cisco:asa'.

The lookup table 'cisco_asa_ids_lookup' does not exist. It is referenced by configuration 'cisco:asa'.

The lookup table 'cisco_asa_ids_lookup' does not exist. It is referenced by configuration 'cisco:pix'.

The lookup table 'cisco_asa_intrusion_severity_lookup' does not exist. It is referenced by configuration 'cisco:asa'.

The lookup table 'cisco_asa_intrusion_severity_lookup' does not exist. It is referenced by configuration 'cisco:fwsm'.

The lookup table 'cisco_asa_intrusion_severity_lookup' does not exist. It is referenced by configuration 'cisco:pix'.

The lookup table 'cisco_asa_syslog_severity_lookup' does not exist. It is referenced by configuration 'cisco:asa'.

The lookup table 'cisco_asa_vendor_class_lookup' does not exist. It is referenced by configuration 'cisco:asa'.

The lookup table 'cisco_ips_vendor_info_lookup' does not exist. It is referenced by configuration 'cisco:ips:syslog'.

Any idea what's going wrong here?

0 Karma

mikaelbje
Motivator

Hmpf try changing the css_views.conf file and set the parts you don't need to 0. Otherwise you may have to add all the add-ons 😕

0 Karma

Colin_Y
New Member

I changed the css_views.conf to asa = 1, ips = 1, csf = 0, esa = 0, wsa = 0, ise = 0 but still get the errors. I added the remaining add-ons so current versions are;
Splunk_CiscoSecuritySuite 3.1.1
Splunk_TA_cisco-asa 3.2.3
Splunk_TA_cisco-esa 1.2.0
Splunk_TA_cisco-ips 2.1.4
Splunk_TA_cisco-wsa 3.2.1
Splunk_TA_sourcefire 3.3.0

If I disable Splunk_TA_cisco-asa most of the errors go away, but I guess it needs to be enabled?

0 Karma

bwooden
Splunk Employee
Splunk Employee

I'm not able to re-produce this on my system. Can you provide the link to the SourceFire add-on you're using? There are 2 different options presently available, maybe we're using different ones.

0 Karma

csimms
Explorer

I am using this add on app for SourceFire: https://splunkbase.splunk.com/app/1808/, but I get this on trying to only enable the ASA or ESA add-on and this is a clean install. Odd, that I can install the apps, but the setup produces this error out of the box. Frustrating... 😞

0 Karma

tomandrews
Explorer

@csimms This might be a silly question, but did you restart splunkd after installation? I installed a fresh copy this morning and although I didn't read the errors I did have the similar red bar. In my instance it is because the application requires a splunkd restart.

0 Karma

csimms
Explorer

Yes I restarted splunk. I'll reach out to splunk support for assistance, we have a paid enterprise level, I assume they can help?

0 Karma

csimms
Explorer

I can't find the app.conf file you mention below in that directory.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...