All Apps and Add-ons

Cisco Security Suite not populating

Builder

I've read a couple of posts/answers here.

What I did.

created a local directory on the TA_cisco-asa app and copied eventtypes, transforms, and props. Upon checking on the config files, contrary to the answers on the posted questions here, they were already commented out by default. *the [source::udp::514]

Upon checking on the dashboards, they were looking for eventtype=cisco-firewall

checked eventtypes.conf and no cisco-firewall defined like really? why? and i thought add-ons will require minimal to no configuration already. only enabling some of the metrics.

current setup is splunk listening to 514 with the sourcetype=syslog

Thoughts?

0 Karma

Communicator

Unless you make any changes to the TA/app you download from splunkbase or you add some customizations, you don't need a local directory.
From the problem you explained, I believe you are looking into the dashboards in the security suite app - https://splunkbase.splunk.com/app/525/.
If you check the default/eventtypes.conf - you will see the eventtype "cisco-firewall".
Since you are getting the events with the source type "syslog", You can download the TA for cisco- ASA here.
https://splunkbase.splunk.com/app/1620/.
This one transforms your source type into cisco:asa which the app is looking for.

0 Karma

Builder

Hello, thank you for the comment.i believe klaxdal already pinpointed my problem which is the sourcetype not being defined properly. Though you're right about the local folder since i didn't change any conf files so no need for the local

0 Karma

Contributor

Pretty sure your source type is incorrect .

Check the index to ensure you are receiving events from the ASA

0 Karma

Contributor

Source type should be set to manual - cisco:asa or cisco_asa ( I forget off hand which one works ) start with cisco:asa

You may also want to output the syslogs via TCP as its more reliable and configure a separate index for your Cisco products ..... see link

https://answers.splunk.com/answers/174583/cisco-security-suite-add-on-for-cisco-asa-do-i-nee.html

0 Karma

Builder

Yes you're right. I precreated the index with the sourcetype as syslog before the integration. :))

If i will have to populate the other dashboards in cisco suite, say for example the cisco esa or wsa, should I create another index and define a new port for logging as 514 is exclusively for asa?

Many thanks btw, i will try this by tomorrow and will accept this answer if it works

0 Karma

Contributor

No need to create another index . I have set this up many times - outputting all my CISCO devices IPS / ASA /WSA to the same index .

They can use the same port however you want to be aware of the amount of traffic flow - which my require you to break out the traffic on various ports e.g. TCP 514 , TCP 515 etc and index to a common index to keep things straight ( my personal preference ) such as index=cisco

You should be able to simpley change the source type on your current configuration by editing the data input to reflect cisco:asa

BTW - getting the IPS data in can be a challenge due to issues with the python script and SSL - but we can cross that bridge when you get there

0 Karma

Builder

So meaning, i should define different ports for every new cisco device with the same index right but with different correct sourcetypes right?

0 Karma

Contributor

One can do that if your experiencing heavy traffic -depending on the number of devices reporting in - I have never had to go that route though. I will highly recommend using TCP rather than UDP though, as it is connection oriented rather than connection less - makes for eaiser troubleshooting too

0 Karma

Builder

hello, klaxdal. so I have already set the sourcetype as cisco:asa but this will only limit me to monitor the cisco:asa sourcetypes. I need all the cisco logs to automatically populate all the dashboards in this app.

check this link
https://answers.splunk.com/answers/188473/what-sourcetype-should-i-set-ciscoasa-switch-data.html

it says their that sourcetype=syslog will automatically redefined with their respective sourcetype. thoughts?

0 Karma

Contributor

Have you installed the other TAs required for the APP and additional source types ?

I have never has to specify anything other than CISCO:ASA and the index in the UDP data setup .

KL

0 Karma