hi all,
-------- splunk version: 6.1.4 - build:233537 ----------
-------- cisco security suite App Version: 3.0.3 build:100784 ---------
-------- splunk Add-on for Cisco ASA version 3.1.0 ---------
New to Splunk and struggling to get the Cisco Security Suite to log/show events for our ASA kit. Basically I inherited a "test/live" system without documentation and with a VM not working for quite some time.
Recently the Splunk system has been migrated from a VM WIn 2008 R2 to a physical Win 2008 R2 machine and the IP address has been kept the same.
If I go to DATA SUMMARY, I can see data logged up until when I believe the VM was filled up and stopped working.
I have seen couple of threads and it seems that the problem was resolved by editing the props.conf file....
I would appreciate if someone could provide some assistance on where to start troubleshooting this issue.
This is the first 15 lines of file props.conf on path $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local (note that none of the entries are commented on the file)....
[source::tcp:514]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
[source::udp:514]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
[syslog]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
Is the data from your ASA getting indexed? Try this search to find out:
index=* sourcetype=cisco*
Also, make sure you copied the Cisco ASA supporting add-on (ASA dashboards for the Cisco Security Suite) from:
$SPLUNK_HOME/etc/apps/Splunk_CiscoSecuritySuite/appserver/addons/SA-cisco-asa
to:
$SPLUNK_HOME/etc/apps/SA-cisco-asa
You can check your _internal index as well for any issues. Use this search to check _internal:
index=_internal
well...as I had mentioned, totally new to SPlunk.
I think either (a) UDP Data Input was not configured on the original VM hosting Splunk or (b) during migration the setting has not migrated.
I have created a new listener and it is now pulling data from the ASA.
By the way, I left it to pull data into main index....Is this okay or should I create a new "dedicated" index for ASA?
Once again thank you for your assistance throughout.
Is the data from your ASA getting indexed? Try this search to find out:
index=* sourcetype=cisco*
Also, make sure you copied the Cisco ASA supporting add-on (ASA dashboards for the Cisco Security Suite) from:
$SPLUNK_HOME/etc/apps/Splunk_CiscoSecuritySuite/appserver/addons/SA-cisco-asa
to:
$SPLUNK_HOME/etc/apps/SA-cisco-asa
You can check your _internal index as well for any issues. Use this search to check _internal:
index=_internal
hi and thank you for taking your time to reply
index=* sourcetype=cisco*
produces results up until June14 when I believe the VM was still working. Then nothing else.
SA-cisco-asa directory
I have not seen any documentation advising copying to/from (where did you get the info from??)
index=_internal
produces loads of results with today's timestamp, etc
Really struggling to understand ins and outs of Splunk to be fairly honest....
Are you sending your ASA data directly to Splunk or to another system first?
Look at the host field in your _internal index. Does your ASA (or other system receiving ASA syslog if you are using that method) show up there?
The part about copying the SA-cisco-asa directory is documented here -> https://apps.splunk.com/app/525/#/documentation
Thank you for being so helpful
We are sending ASA data direct to Splunk;
Sorry for the noob question but cannot find the "host field" on _internal index;
My mistake, as I had already copied the SA-Cisco-asa dir when installing the App
Still no signs of data coming through....
When you perform the "index=_internal" search, you will see a list of interesting fields on the left hand side of the screen. One of those will be "host". You can click on that field to see the values. Alternatively, you can run the following searc:
index=_internal | stats count by host
I would run these searches over the past 24 hours.
If you do not see any data coming from your ASA, then the cause is most likely one of the following:
To check if Splunk is set up to receive data, click "settings" in the top right menu bar in Splunk. Then, select "Data inputs". Next, click either "TCP" or "UDP" depending on how your ASA is set up to deliver the data over the network. If nothing shows up, then Splunk is not listening. You can create a new listener by clicking the "New" button.