All Apps and Add-ons

Cisco Security Suite not populating

lloydknight
Builder

I've read a couple of posts/answers here.

What I did.

created a local directory on the TA_cisco-asa app and copied eventtypes, transforms, and props. Upon checking on the config files, contrary to the answers on the posted questions here, they were already commented out by default. *the [source::udp::514]

Upon checking on the dashboards, they were looking for eventtype=cisco-firewall

checked eventtypes.conf and no cisco-firewall defined like really? why? and i thought add-ons will require minimal to no configuration already. only enabling some of the metrics.

current setup is splunk listening to 514 with the sourcetype=syslog

Thoughts?

0 Karma

bheemireddi
Communicator

Unless you make any changes to the TA/app you download from splunkbase or you add some customizations, you don't need a local directory.
From the problem you explained, I believe you are looking into the dashboards in the security suite app - https://splunkbase.splunk.com/app/525/.
If you check the default/eventtypes.conf - you will see the eventtype "cisco-firewall".
Since you are getting the events with the source type "syslog", You can download the TA for cisco- ASA here.
https://splunkbase.splunk.com/app/1620/.
This one transforms your source type into cisco:asa which the app is looking for.

0 Karma

lloydknight
Builder

Hello, thank you for the comment.i believe klaxdal already pinpointed my problem which is the sourcetype not being defined properly. Though you're right about the local folder since i didn't change any conf files so no need for the local

0 Karma

klaxdal
Contributor

Pretty sure your source type is incorrect .

Check the index to ensure you are receiving events from the ASA

0 Karma

klaxdal
Contributor

Source type should be set to manual - cisco:asa or cisco_asa ( I forget off hand which one works ) start with cisco:asa

You may also want to output the syslogs via TCP as its more reliable and configure a separate index for your Cisco products ..... see link

https://answers.splunk.com/answers/174583/cisco-security-suite-add-on-for-cisco-asa-do-i-nee.html

0 Karma

lloydknight
Builder

Yes you're right. I precreated the index with the sourcetype as syslog before the integration. :))

If i will have to populate the other dashboards in cisco suite, say for example the cisco esa or wsa, should I create another index and define a new port for logging as 514 is exclusively for asa?

Many thanks btw, i will try this by tomorrow and will accept this answer if it works

0 Karma

klaxdal
Contributor

No need to create another index . I have set this up many times - outputting all my CISCO devices IPS / ASA /WSA to the same index .

They can use the same port however you want to be aware of the amount of traffic flow - which my require you to break out the traffic on various ports e.g. TCP 514 , TCP 515 etc and index to a common index to keep things straight ( my personal preference ) such as index=cisco

You should be able to simpley change the source type on your current configuration by editing the data input to reflect cisco:asa

BTW - getting the IPS data in can be a challenge due to issues with the python script and SSL - but we can cross that bridge when you get there

0 Karma

lloydknight
Builder

So meaning, i should define different ports for every new cisco device with the same index right but with different correct sourcetypes right?

0 Karma

klaxdal
Contributor

One can do that if your experiencing heavy traffic -depending on the number of devices reporting in - I have never had to go that route though. I will highly recommend using TCP rather than UDP though, as it is connection oriented rather than connection less - makes for eaiser troubleshooting too

0 Karma

lloydknight
Builder

hello, klaxdal. so I have already set the sourcetype as cisco:asa but this will only limit me to monitor the cisco:asa sourcetypes. I need all the cisco logs to automatically populate all the dashboards in this app.

check this link
https://answers.splunk.com/answers/188473/what-sourcetype-should-i-set-ciscoasa-switch-data.html

it says their that sourcetype=syslog will automatically redefined with their respective sourcetype. thoughts?

0 Karma

klaxdal
Contributor

Have you installed the other TAs required for the APP and additional source types ?

I have never has to specify anything other than CISCO:ASA and the index in the UDP data setup .

KL

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...