All Apps and Add-ons

Cisco Security Suite no results

Path Finder

Logged into Splunk after night and Cisco Security Suite shows now results. I have not made any changes, I restarted the whole server but it did not help.

My initial investigation included:
1. Searched index=”internal” – no errors
2. Checked if index dedicated for cisco is receiving data – OK
3. Searched index=”network
cisco” – OK, events are coming up
4. Searched eventtype="cisco-security-events" – no events
5. Searched index="network_cisco" eventtype="cisco-security-events" – OK events are coming up

It is strange that eventtype="cisco-security-events" shows no results but when I run index="network_cisco” I see eventtype cisco-security-events on the left side panel/
Do you have any idea what could have broken Cisco Security Suite app

0 Karma
1 Solution

Splunk Employee
Splunk Employee

You have 2 ways to resolve this:

  1. Make your networkcisco index searchable by default. You can do this by modifying the Role (Settings -> Access Controls -> Roles). Add your networkcisco index to the indexes searched by default.
  2. Create a folder named local within the SplunkCiscoSecuritySuite directory. Copy eventtypes.conf from SplunkCiscoSecuritySuite/default to Splunk_CiscoSecuritySuite/local. Then, modify the local/eventtypes.conf file to include your index in the searches.

The first option is easier and will allow you to do correlation searches easier as you don't have to explicitly specify the index when searching.

View solution in original post

Splunk Employee
Splunk Employee

You have 2 ways to resolve this:

  1. Make your networkcisco index searchable by default. You can do this by modifying the Role (Settings -> Access Controls -> Roles). Add your networkcisco index to the indexes searched by default.
  2. Create a folder named local within the SplunkCiscoSecuritySuite directory. Copy eventtypes.conf from SplunkCiscoSecuritySuite/default to Splunk_CiscoSecuritySuite/local. Then, modify the local/eventtypes.conf file to include your index in the searches.

The first option is easier and will allow you to do correlation searches easier as you don't have to explicitly specify the index when searching.

View solution in original post

Path Finder

THANKS! I used option 1. That was very simple and I couldn't figure this out.

One more question came to my mind, why do I get results for Windows app if the associated index is not added to be searched by default? Is this because Windows App allows you to set the index in local/inputs.conf?

0 Karma

Splunk Employee
Splunk Employee

A lot of the Windows data is in the main index - which is already searchable by default. Some of the Windows data does write to other indexes though (like perfmon and msad).

0 Karma

Path Finder

I do not have anything in main now. All of the windows data is being written to indexes such as wineventlog:security etc. but they are not defined in Roles to be searched by default, however the windows App is working fine.

0 Karma

Path Finder

I actually did a change - changed the index for network devices from main to network_cisco.
I guess this is causing the problem now. Where in the .conf files I point to the new index?

0 Karma