Logged into Splunk after night and Cisco Security Suite shows now results. I have not made any changes, I restarted the whole server but it did not help.
My initial investigation included:
1. Searched index=”_internal” – no errors
2. Checked if index dedicated for cisco is receiving data – OK
3. Searched index=”network_cisco” – OK, events are coming up
4. Searched eventtype="cisco-security-events" – no events
5. Searched index="network_cisco" eventtype="cisco-security-events" – OK events are coming up
It is strange that eventtype="cisco-security-events" shows no results but when I run index="network_cisco” I see eventtype cisco-security-events on the left side panel/
Do you have any idea what could have broken Cisco Security Suite app
You have 2 ways to resolve this:
The first option is easier and will allow you to do correlation searches easier as you don't have to explicitly specify the index when searching.
You have 2 ways to resolve this:
The first option is easier and will allow you to do correlation searches easier as you don't have to explicitly specify the index when searching.
THANKS! I used option 1. That was very simple and I couldn't figure this out.
One more question came to my mind, why do I get results for Windows app if the associated index is not added to be searched by default? Is this because Windows App allows you to set the index in local/inputs.conf?
A lot of the Windows data is in the main index - which is already searchable by default. Some of the Windows data does write to other indexes though (like perfmon and msad).
I do not have anything in main now. All of the windows data is being written to indexes such as wineventlog:security etc. but they are not defined in Roles to be searched by default, however the windows App is working fine.
I actually did a change - changed the index for network devices from main to network_cisco.
I guess this is causing the problem now. Where in the .conf files I point to the new index?