All Apps and Add-ons

Cisco Security Suite Setup Failure

edwardrose
Contributor

Hello All

I have Splunk Enterprise 6.5.2 and Cisco Security Suite 3.1.2. I also have TAs for ASA, ESA and WSA installed. When I launch the Cisco Security Suite app it goes to the config page and when I click continue to app setup page I get an error.

404 Not Found

Return to Splunk home page
Page not found!
View more information about your request (request ID = 58ff9ebd527f7a53201490) in Search

This page was linked to from https://splk-srch-01.wv.mentorg.com:8000/en-US/app/Splunk_CiscoSecuritySuite/.

I do not see any other issues or errors. I have tried to follow the instructions from the following link but it fails as well.

https://answers.splunk.com/answers/12702/splunk-cisco-security-suite.html?utm_source=typeahead&utm_m...

Does anyone have any idea why it isn't working or how to fix it?

thanks

0 Karma
1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

Basically, the app is timing out because it does an initial data sweep prior to start configuration.

There are two options: increase timeout, or edit python to bypass the jobs that run against your data. If you are a very large environment, just do option two, edit the python. Option 1 will work if let it run long enough.

More details are over here: https://answers.splunk.com/answers/409761/why-am-i-getting-a-404-error-when-i-try-to-set-up.html.

Option 1

Edit: /opt/splunk/etc/system/local/web.conf

splunkdConnectionTimeout = 1400

Option 2

Edit: Splunk_CiscoSecuritySuite/bin/css_setup_handler.py

alter the lines looking like info['asa_count'] = 0 to= 1 instead where a feature should be installed.
REMOVE all lines that look like that are running search jobs.

Restart Splunk.

View solution in original post

eidil
Explorer

You can edit the app.conf file. Search for the install stanza and change:

is_configured = true

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Basically, the app is timing out because it does an initial data sweep prior to start configuration.

There are two options: increase timeout, or edit python to bypass the jobs that run against your data. If you are a very large environment, just do option two, edit the python. Option 1 will work if let it run long enough.

More details are over here: https://answers.splunk.com/answers/409761/why-am-i-getting-a-404-error-when-i-try-to-set-up.html.

Option 1

Edit: /opt/splunk/etc/system/local/web.conf

splunkdConnectionTimeout = 1400

Option 2

Edit: Splunk_CiscoSecuritySuite/bin/css_setup_handler.py

alter the lines looking like info['asa_count'] = 0 to= 1 instead where a feature should be installed.
REMOVE all lines that look like that are running search jobs.

Restart Splunk.

nmiller_splunk
Splunk Employee
Splunk Employee

The need to increase the timeout is explicitly called out in the release notes Cisco Security Suite details here: https://splunkbase.splunk.com/app/525/#/details

Known Issues
===
3.1.2
- Package name still has "Splunk_" prefix. This is required if keeping same Splunkbase path yet this app is no longer Splunk supported
- splunkdConnectionTimeout may still need to be set artificially high on some systems for the setup experience

Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...