All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cisco Security Suite/Splunk for Cisco Firewalls

Mythric
New Member
‎09-04-2013 10:11 PM

I'm having some trouble with Cisco Security suite and the associated firewalls addons for Splunk.

Cisco Security Suite
First of all, how does the dashboard define a 'security event' (e.g. Cisco Security Events by Top 10 Destination IP)? In the overview panel the heatmap and pie charts work, however the "Cisco Security Events" pane does not display anything.

Splunk for Cisco Firewalls
I have it set so the source type for the firewall logs is 'cisco_fwsm', however none of the panels in the firewall overview page show any results, instead returning a no results found message.

Any help resolving this would be appreciated.

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎09-05-2013 04:54 AM

First thing I would check is to make sure you only have the Cisco Security Suite and Splunk for Cisco Firewalls installed. If you have tried other apps like the TA for Cisco ASA, Cisco ASA and FWSM Field Extractions etc., I would suggest deleting them from the apps directory. They can cause issues with field extractions and searches.

1) Sourcetype should be automatically forced to “cisco_asa”, if not see step 3 for possible resolution.

a. To verify just run the below search, and verify that cisco_asa is correctly set as the sourcetype:
i. %ASA | dedup sourcetype | table sourcetype
b. Sometimes you might have to change the sourcetype for the UDP data to “syslog” for the Cisco Security App to recognize it.

2) Go through the setup page per App and save them. Restart Splunk.

3) If the additional sourcetype (cisco_asa) is not being created then the force transform REGEX is not working correctly. Here are the steps to fix this:
a. Edit the transforms.conf file in the Splunk_CiscoFirewalls App. ($SPLUNK_HOME/etc/apps/Splunk_CiscoFirewalls/default/transforms.conf)

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
##REGEX = %ASA-\d+-\d+
REGEX = %ASA--\d+-\d+
FORMAT = sourcetype::cisco_asa

The default REGEX is incorrect (ie has -- instead of -). Just comment out the incorrect REGEX and uncomment the correct REGEX:

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = %ASA-\d+-\d+
#REGEX = %ASA--\d+-\d+
FORMAT = sourcetype::cisco_asa
Reply

jfrench539
Engager
‎11-12-2013 11:31 AM

Editing the transforms.conf file worked for me, so thank you! I knew I had data coming in from the asa, but had no idea why I couldn't get anything to show up in the Security Suite and this helped as I now have some data coming in and I can now work from here, so thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...