All Apps and Add-ons
Highlighted

Cisco Security Suite blank dashboard - What am I missing?

Explorer

Hello all,

I am new to Splunk. I am trying to setup some apps, Cisco Security Suite being one. I am having the same "blank dashboard" issue as others have posted. All panels are showing "No results found." I am having exactly the same problem with another security related Splunk app and it is very frustrating.

I am running Splunk 6.0 on Windows Server 2012. There is only one Splunk server in the landscape. I have multiple ASA firewalls sending syslog to Splunk via UDP 514. I have a custom index receiving syslog data from all network devices, and it is searchable in the Splunk UI. I have confirmed I can see results from ASA. I have installed the TA for ASAs. I have also followed the instructions regarding the TA & SA file & folder configuration, but still nothing.

I am not sure what else to do at this point. Any assistance would be greatly appreciated.

Thank you,
Drew

RSENNETT_SPLUNK. Here are the first 15 lines of the props.conf file per your request. I will post an event shortly.

################ Global ####################
#default port is 514
#[source::tcp:514]
#TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
[source::udp:514]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
################ ASA ####################
[source::....asa]
sourcetype = cisco:asa
[cisco:asa]
SHOULD_LINEMERGE = false

Highlighted

Re: Cisco Security Suite blank dashboard - What am I missing?

Splunk Employee
Splunk Employee

There are a couple of things to check.

1 - since you have a custom index, make sure that it is a searched by default. Within Splunk, click Settings -> Access controls -> Roles -> choose a role your account belongs to -> scroll to the bottom and observe the indexes searched by default.

This is necessary as the Cisco Security Suite does not specify the index in the searches; rather, we rely on the index being a default searchable index.

As an alternative, you can make a change to eventtypes.conf to include your custom index. All the searches in the Cisco Security Suite specify an eventtype. To do this, copy

$SPLUNK_HOME/etc/apps/SA-cisco-asa/default/eventtypes.conf

To

$SPLUNK_HOME/etc/apps/SA-cisco-asa/local/eventtypes.conf

Modify like so:

[cisco-firewall]
search = index=your_custom_index (sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm")

2 - since you are sending multiple types of data in on UDP, make sure that you force the sourcetype for Cisco ASA. Here is how to do this:

  • Navigate to the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa directory.
  • Create a new directory named local.
  • Navigate into the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/default directory.
  • Copy the props.conf configuration file and place it into the previously created
  • $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local directory.
  • Navigate into the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local directory.
  • Open the props.conf configuration file.
  • Remove the # (commented out markers) at the beginning of the below text in the props.conf file. ** Note: If you have the data going to a different port or protocol then make the appropriate adjustments, such as if you have cisco asa data being received on tcp port 515, then replace source::udp:514 with source::tcp:515.
    • #[source::udp:514]
    • #TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_\asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
  • Save the props.conf configuration file. Restart the Splunk Service/Daemon.
Highlighted

Re: Cisco Security Suite blank dashboard - What am I missing?

Explorer

Hello and thank you for the response. Sorry for the delay. I had guests all week.

I have verified my index is searched by default. It still was not working, so I tried the second part of #1. Still nothing. I had previously done #2. I double checked all of those settings and found my setup to be correct.

At this point I am at a loss, and my frustration level is rising.

Any other ideas?

0 Karma
Highlighted

Re: Cisco Security Suite blank dashboard - What am I missing?

Splunk Employee
Splunk Employee

What do you get when you run the following search?

eventtype=cisco-firewall

0 Karma
Highlighted

Re: Cisco Security Suite blank dashboard - What am I missing?

Explorer

When I search with no index specified, I get "no results found." When I search with the custom index specified, I get the same.

0 Karma
Highlighted

Re: Cisco Security Suite blank dashboard - What am I missing?

Splunk Employee
Splunk Employee

Wow - ok, what sourcetypes are you seeing when you search your custom index?

The eventtype is just looking for data with a sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm"

0 Karma
Highlighted

Re: Cisco Security Suite blank dashboard - What am I missing?

Explorer

Hello. That must be the problem. The sourcetype for everything, including ASA logs, is syslog. Now, I just have to figure out why it is doing that, and get it corrected.

0 Karma
Highlighted

Re: Cisco Security Suite blank dashboard - What am I missing?

Splunk Employee
Splunk Employee

I know that Jason already instructed you to uncomment the monitors (and TRANSFORMS) in props.conf - but can you edit your question to display the top 15 lines of $SPLUNKHOME/etc/apps/SplunkTA_cisco-asa/local/props.conf please?

Also, if you show us one event containing the %ASA "target" that might help us see whether there is something unexpected happening in the events to cause the regex in the force_sourcetype stanzas in transforms.conf

what flavor of syslog are you using?

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Highlighted

Re: Cisco Security Suite blank dashboard - What am I missing?

Path Finder

Have you added your "cisco" index to the searched by default indexes ?

0 Karma
Highlighted

Re: Cisco Security Suite blank dashboard - What am I missing?

Explorer

Hello. We have a custom index and all UDP 514 traffic goes to and that index is searched by default.

0 Karma