All Apps and Add-ons

Cisco Security Suite/Splunk for Cisco Firewalls

New Member

I'm having some trouble with Cisco Security suite and the associated firewalls addons for Splunk.

Cisco Security Suite
First of all, how does the dashboard define a 'security event' (e.g. Cisco Security Events by Top 10 Destination IP)? In the overview panel the heatmap and pie charts work, however the "Cisco Security Events" pane does not display anything.

Splunk for Cisco Firewalls
I have it set so the source type for the firewall logs is 'cisco_fwsm', however none of the panels in the firewall overview page show any results, instead returning a no results found message.

Any help resolving this would be appreciated.

0 Karma

Splunk Employee
Splunk Employee

First thing I would check is to make sure you only have the Cisco Security Suite and Splunk for Cisco Firewalls installed. If you have tried other apps like the TA for Cisco ASA, Cisco ASA and FWSM Field Extractions etc., I would suggest deleting them from the apps directory. They can cause issues with field extractions and searches.

1) Sourcetype should be automatically forced to “cisco_asa”, if not see step 3 for possible resolution.

a. To verify just run the below search, and verify that cisco_asa is correctly set as the sourcetype:
i. %ASA | dedup sourcetype | table sourcetype
b. Sometimes you might have to change the sourcetype for the UDP data to “syslog” for the Cisco Security App to recognize it.

2) Go through the setup page per App and save them. Restart Splunk.

3) If the additional sourcetype (cisco_asa) is not being created then the force transform REGEX is not working correctly. Here are the steps to fix this:
a. Edit the transforms.conf file in the Splunk_CiscoFirewalls App. ($SPLUNK_HOME/etc/apps/Splunk_CiscoFirewalls/default/transforms.conf)

DEST_KEY = MetaData:Sourcetype
##REGEX = %ASA-\d+-\d+
REGEX = %ASA--\d+-\d+
FORMAT = sourcetype::cisco_asa

The default REGEX is incorrect (ie has -- instead of -). Just comment out the incorrect REGEX and uncomment the correct REGEX:

DEST_KEY = MetaData:Sourcetype
REGEX = %ASA-\d+-\d+
#REGEX = %ASA--\d+-\d+
FORMAT = sourcetype::cisco_asa


Editing the transforms.conf file worked for me, so thank you! I knew I had data coming in from the asa, but had no idea why I couldn't get anything to show up in the Security Suite and this helped as I now have some data coming in and I can now work from here, so thanks!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!