All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I've installed the Splunk Add-on for Cisco ESA on my search head, but do I need to install it on my indexers as well?

sassens1
Path Finder
‎08-17-2016 02:43 AM

Hello,

I've installed the TA on my search head only (Distributed deployment).
I send ESA textmail and http logs over TCP syslog and my heavy forwarder inputs.conf is configured as this:

[tcp://514]
connection_host = dns
index = securityidx
source = maillog
sourcetype = ironport
queueSize = 10MB

I modified the TA local/props.conf on my search head :

######## TextMail Log Extractions ########
[ironport]  #instead of [source::...xx]
sourcetype = cisco:esa:textmail

I can see logs coming in with the sourcetype "ironport", but it is not overridden.

What am I doing wrong?
Do I need to install the TA on my indexers as well?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎08-17-2016 08:40 AM

rpille is right about which Splunk instances the TA should reside.

Yet the props you've defined on the search head is an input phase configuration. Since the search head is not involved in the input, that configuration is ignored. The source type update via props.conf needs to take place on the heavy forwarder and be scoped to a source because parsing phase configurations with a sourcetype setting must be scoped to a source.

[source::tcp:514] 
sourcetype = cisco:esa:textmail

This extra props may be skipped by updating the local inputs.conf on the heavy forwarder (to set source type further upstream)

[tcp://514]
sourcetype = cisco:esa:textmail

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ferozkhanpeermo
New Member
‎03-09-2019 02:28 PM

The Splunk Cisco-esa TA needs to be installed in you HWF, all indexers and the SH's. If you have a dedicated SH for Splunk Enterprise Security module, the TA needs to be installed there also.

0 Karma
Reply
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎08-17-2016 08:40 AM

rpille is right about which Splunk instances the TA should reside.

Yet the props you've defined on the search head is an input phase configuration. Since the search head is not involved in the input, that configuration is ignored. The source type update via props.conf needs to take place on the heavy forwarder and be scoped to a source because parsing phase configurations with a sourcetype setting must be scoped to a source.

[source::tcp:514] 
sourcetype = cisco:esa:textmail

This extra props may be skipped by updating the local inputs.conf on the heavy forwarder (to set source type further upstream)

[tcp://514]
sourcetype = cisco:esa:textmail
0 Karma
Reply
Solved! Jump to solution

sassens1
Path Finder
‎08-22-2016 01:39 AM

thank you all for your explanation but it does not work at all.
So far I've installed the TA on my heavy forwarder and my search head with the same local/props.conf configuration:

 [ironport]
 rename = cisco:esa:textmail

and the logs are still coming with the sourcetype=ironport

how can I troubleshoot this? Do I also need to install the TA on my indexer ??

0 Karma
Reply
Solved! Jump to solution

bwooden
Splunk Employee
Splunk Employee
‎08-22-2016 09:26 AM

That is a search time configuration. It allows knowledge objects to work for both source types.
To have the source type identified correctly for new data as it is indexed, you will need to set the source type correctly on the first machine that does parsing.

0 Karma
Reply
Solved! Jump to solution

bwooden
Splunk Employee
Splunk Employee
‎08-17-2016 08:46 AM

My answer above is for indexing the data with correct source type (cisco:asa:textmail). If you're trying to rename ironport during search time operations (for data already indexed as ironport) you may update your props.conf on the search head with this configuration. 

[ironport]
rename = cisco:esa:textmail
0 Karma
Reply
Solved! Jump to solution

rpille_splunk
Splunk Employee
Splunk Employee
‎08-17-2016 07:14 AM

You need to install the add-on on your data collection node as well.

This table can be a bit confusing, but the comments column should help make clear that the add-on should be installed where you are collecting data, whatever node of your deployment that might be. http://docs.splunk.com/Documentation/AddOns/released/CiscoESA/Distributeddeployment Only if you do not use a heavy forwarder for data collection do you also need to install this add-on on your indexers, but you should be fine without it there in your case.

Reply
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top