All Apps and Add-ons

Cisco Security Suite blank dashboard - What am I missing?

tsodrew
Explorer

Hello all,

I am new to Splunk. I am trying to setup some apps, Cisco Security Suite being one. I am having the same "blank dashboard" issue as others have posted. All panels are showing "No results found." I am having exactly the same problem with another security related Splunk app and it is very frustrating.

I am running Splunk 6.0 on Windows Server 2012. There is only one Splunk server in the landscape. I have multiple ASA firewalls sending syslog to Splunk via UDP 514. I have a custom index receiving syslog data from all network devices, and it is searchable in the Splunk UI. I have confirmed I can see results from ASA. I have installed the TA for ASAs. I have also followed the instructions regarding the TA & SA file & folder configuration, but still nothing.

I am not sure what else to do at this point. Any assistance would be greatly appreciated.

Thank you,
Drew

RSENNETT_SPLUNK. Here are the first 15 lines of the props.conf file per your request. I will post an event shortly.

################ Global ####################
#default port is 514
#[source::tcp:514]
#TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
[source::udp:514]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
################ ASA ####################
[source::....asa]
sourcetype = cisco:asa
[cisco:asa]
SHOULD_LINEMERGE = false

1 Solution

tsonms
Engager

Well, we can close this out. I did an upgrade from 6.0 to 6.1 yesterday. During this process I removed the CSS & TA folders. After the upgrade, I installed them again, uncommented the UDP port 514 and transform lines, restarted Splunk, and the dashboards are working fine now. We have several ASAs in the environment, all logging to Splunk, so it takes a few minutes for some of the data to load, but it works. Very nice. I am certain our network security and cyber security folks will be happy this has been put to rest. Now, I have to move on to the next one where I am having a similar issue. Thank you for all who responded.

View solution in original post

tsonms
Engager

My file does not look like what you posted. Please ensure you are looking at props.conf file in the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local directory. Refer to the example at the top of this thread where it says global with all the #s.

0 Karma

molinarf
Communicator

I have been trying to get this app to work. I followed the instructions and when I tried to make changes to the props.conf file, I could not find the port information (#[source::udp:514]). I am currently running Splunk 6.1.2. Here is the props.conf first few lines. Where is the port information supposed to go?

Splunk Technology Add-On for Cisco ASA

Cisco Adaptive Security Appliance

Copyright (C) 2012 Kent Heide

All Rights Reserved

Force the sourcetype

[syslog]
TRANSFORMS-force_sourcetype = force_sourcetype_for_cisco_asa
TRANSFORMS-force_index = force_index_for_cisco_asa

[cisco:asa]
LOOKUP-vendor_action = cisco_asa_actions vendor_action OUTPUT action
LOOKUP-app_type = cisco_asa_apptype sourcetype OUTPUT app
LOOKUP-vendor = cisco_asa_vendor sourcetype OUTPUT vendor
LOOKUP-eventcode = cisco_asa_event_codes

Thank you for your assistance.

0 Karma

tsonms
Engager

Well, we can close this out. I did an upgrade from 6.0 to 6.1 yesterday. During this process I removed the CSS & TA folders. After the upgrade, I installed them again, uncommented the UDP port 514 and transform lines, restarted Splunk, and the dashboards are working fine now. We have several ASAs in the environment, all logging to Splunk, so it takes a few minutes for some of the data to load, but it works. Very nice. I am certain our network security and cyber security folks will be happy this has been put to rest. Now, I have to move on to the next one where I am having a similar issue. Thank you for all who responded.

View solution in original post

rsennett_splunk
Splunk Employee
Splunk Employee

It's always something. 😉
Accept your own answer (this one) and that will "Close out" the question.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

BCIBNKSPLK
Engager

After upgrade the solution for me was:

-> Access controls -> Roles -> choose a role your account belongs to -> scroll to the bottom and observe the indexes searched by default. In my case index=cisco

I think documentation should add this info.

regards,

tsodrew
Explorer

Hi & thank you for the response. Yes, the index in question is searched by default.

0 Karma

lauMarot
Path Finder

Have you added your "cisco" index to the searched by default indexes ?

0 Karma

tsodrew
Explorer

Hello. We have a custom index and all UDP 514 traffic goes to and that index is searched by default.

0 Karma

jconger
Splunk Employee
Splunk Employee

There are a couple of things to check.

1 - since you have a custom index, make sure that it is a searched by default. Within Splunk, click Settings -> Access controls -> Roles -> choose a role your account belongs to -> scroll to the bottom and observe the indexes searched by default.

This is necessary as the Cisco Security Suite does not specify the index in the searches; rather, we rely on the index being a default searchable index.

As an alternative, you can make a change to eventtypes.conf to include your custom index. All the searches in the Cisco Security Suite specify an eventtype. To do this, copy

$SPLUNK_HOME/etc/apps/SA-cisco-asa/default/eventtypes.conf

To

$SPLUNK_HOME/etc/apps/SA-cisco-asa/local/eventtypes.conf

Modify like so:

[cisco-firewall]
search = index=your_custom_index (sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm")

2 - since you are sending multiple types of data in on UDP, make sure that you force the sourcetype for Cisco ASA. Here is how to do this:

  • Navigate to the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa directory.
  • Create a new directory named local.
  • Navigate into the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/default directory.
  • Copy the props.conf configuration file and place it into the previously created
  • $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local directory.
  • Navigate into the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local directory.
  • Open the props.conf configuration file.
  • Remove the # (commented out markers) at the beginning of the below text in the props.conf file. ** Note: If you have the data going to a different port or protocol then make the appropriate adjustments, such as if you have cisco asa data being received on tcp port 515, then replace source::udp:514 with source::tcp:515.
    • #[source::udp:514]
    • #TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_\asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
  • Save the props.conf configuration file. Restart the Splunk Service/Daemon.

rsennett_splunk
Splunk Employee
Splunk Employee

I know that Jason already instructed you to uncomment the monitors (and TRANSFORMS) in props.conf - but can you edit your question to display the top 15 lines of $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local/props.conf please?

Also, if you show us one event containing the %ASA "target" that might help us see whether there is something unexpected happening in the events to cause the regex in the force_sourcetype stanzas in transforms.conf

what flavor of syslog are you using?

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

tsodrew
Explorer

Hello. That must be the problem. The sourcetype for everything, including ASA logs, is syslog. Now, I just have to figure out why it is doing that, and get it corrected.

0 Karma

jconger
Splunk Employee
Splunk Employee

Wow - ok, what sourcetypes are you seeing when you search your custom index?

The eventtype is just looking for data with a sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm"

0 Karma

tsodrew
Explorer

When I search with no index specified, I get "no results found." When I search with the custom index specified, I get the same.

0 Karma

jconger
Splunk Employee
Splunk Employee

What do you get when you run the following search?

eventtype=cisco-firewall

0 Karma

tsodrew
Explorer

Hello and thank you for the response. Sorry for the delay. I had guests all week.

I have verified my index is searched by default. It still was not working, so I tried the second part of #1. Still nothing. I had previously done #2. I double checked all of those settings and found my setup to be correct.

At this point I am at a loss, and my frustration level is rising.

Any other ideas?

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.