Hello all,
I am new to Splunk. I am trying to setup some apps, Cisco Security Suite being one. I am having the same "blank dashboard" issue as others have posted. All panels are showing "No results found." I am having exactly the same problem with another security related Splunk app and it is very frustrating.
I am running Splunk 6.0 on Windows Server 2012. There is only one Splunk server in the landscape. I have multiple ASA firewalls sending syslog to Splunk via UDP 514. I have a custom index receiving syslog data from all network devices, and it is searchable in the Splunk UI. I have confirmed I can see results from ASA. I have installed the TA for ASAs. I have also followed the instructions regarding the TA & SA file & folder configuration, but still nothing.
I am not sure what else to do at this point. Any assistance would be greatly appreciated.
Thank you,
Drew
RSENNETT_SPLUNK. Here are the first 15 lines of the props.conf file per your request. I will post an event shortly.
################ Global ####################
#default port is 514
#[source::tcp:514]
#TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
[source::udp:514]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
################ ASA ####################
[source::....asa]
sourcetype = cisco:asa
[cisco:asa]
SHOULD_LINEMERGE = false
Well, we can close this out. I did an upgrade from 6.0 to 6.1 yesterday. During this process I removed the CSS & TA folders. After the upgrade, I installed them again, uncommented the UDP port 514 and transform lines, restarted Splunk, and the dashboards are working fine now. We have several ASAs in the environment, all logging to Splunk, so it takes a few minutes for some of the data to load, but it works. Very nice. I am certain our network security and cyber security folks will be happy this has been put to rest. Now, I have to move on to the next one where I am having a similar issue. Thank you for all who responded.
My file does not look like what you posted. Please ensure you are looking at props.conf file in the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local directory. Refer to the example at the top of this thread where it says global with all the #s.
I have been trying to get this app to work. I followed the instructions and when I tried to make changes to the props.conf file, I could not find the port information (#[source::udp:514]). I am currently running Splunk 6.1.2. Here is the props.conf first few lines. Where is the port information supposed to go?
[syslog]
TRANSFORMS-force_sourcetype = force_sourcetype_for_cisco_asa
TRANSFORMS-force_index = force_index_for_cisco_asa
[cisco:asa]
LOOKUP-vendor_action = cisco_asa_actions vendor_action OUTPUT action
LOOKUP-app_type = cisco_asa_apptype sourcetype OUTPUT app
LOOKUP-vendor = cisco_asa_vendor sourcetype OUTPUT vendor
LOOKUP-eventcode = cisco_asa_event_codes
Thank you for your assistance.
Well, we can close this out. I did an upgrade from 6.0 to 6.1 yesterday. During this process I removed the CSS & TA folders. After the upgrade, I installed them again, uncommented the UDP port 514 and transform lines, restarted Splunk, and the dashboards are working fine now. We have several ASAs in the environment, all logging to Splunk, so it takes a few minutes for some of the data to load, but it works. Very nice. I am certain our network security and cyber security folks will be happy this has been put to rest. Now, I have to move on to the next one where I am having a similar issue. Thank you for all who responded.
It's always something. 😉
Accept your own answer (this one) and that will "Close out" the question.
After upgrade the solution for me was:
-> Access controls -> Roles -> choose a role your account belongs to -> scroll to the bottom and observe the indexes searched by default. In my case index=cisco
I think documentation should add this info.
regards,
Hi & thank you for the response. Yes, the index in question is searched by default.
Have you added your "cisco" index to the searched by default indexes ?
Hello. We have a custom index and all UDP 514 traffic goes to and that index is searched by default.
There are a couple of things to check.
1 - since you have a custom index, make sure that it is a searched by default. Within Splunk, click Settings -> Access controls -> Roles -> choose a role your account belongs to -> scroll to the bottom and observe the indexes searched by default.
This is necessary as the Cisco Security Suite does not specify the index in the searches; rather, we rely on the index being a default searchable index.
As an alternative, you can make a change to eventtypes.conf to include your custom index. All the searches in the Cisco Security Suite specify an eventtype. To do this, copy
$SPLUNK_HOME/etc/apps/SA-cisco-asa/default/eventtypes.conf
To
$SPLUNK_HOME/etc/apps/SA-cisco-asa/local/eventtypes.conf
Modify like so:
[cisco-firewall]
search = index=your_custom_index (sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm")
2 - since you are sending multiple types of data in on UDP, make sure that you force the sourcetype for Cisco ASA. Here is how to do this:
I know that Jason already instructed you to uncomment the monitors (and TRANSFORMS) in props.conf - but can you edit your question to display the top 15 lines of $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local/props.conf please?
Also, if you show us one event containing the %ASA "target" that might help us see whether there is something unexpected happening in the events to cause the regex in the force_sourcetype stanzas in transforms.conf
what flavor of syslog are you using?
Hello. That must be the problem. The sourcetype for everything, including ASA logs, is syslog. Now, I just have to figure out why it is doing that, and get it corrected.
Wow - ok, what sourcetypes are you seeing when you search your custom index?
The eventtype is just looking for data with a sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm"
When I search with no index specified, I get "no results found." When I search with the custom index specified, I get the same.
What do you get when you run the following search?
eventtype=cisco-firewall
Hello and thank you for the response. Sorry for the delay. I had guests all week.
I have verified my index is searched by default. It still was not working, so I tried the second part of #1. Still nothing. I had previously done #2. I double checked all of those settings and found my setup to be correct.
At this point I am at a loss, and my frustration level is rising.
Any other ideas?