- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Problems with Cisco Security Suite not parsing...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am running 4.2 build 96430. I have Cisco Security Suite 1.0.0 installed as an App.
I am sending a lot of Cisco ASA and PIX firewall data to Splunk. The hosts are showing up and the sourcetype is cisco_syslog, but it does not parse any of the fields correctly. For instance, I can't search on src_ip or eventtype=firewall-deny.
I have found that a workaround to this is to uninstall the Suite and install the individual packages within it, like Splunk for Cisco Firewalls. Can someone tell me how to get the Suite working?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yumology,
The Cisco Security Suite app provides navigation and dashboard/report components on top of data collected by the individual Cisco add-ons. Cisco Security Suite is dependent on individual Cisco add-ons such as Cisco Firewalls to bring data in and normalize it correctly. If you are not interested in the dashboards/reports provided by the Suite and just want to leverage things like eventtypes and field extractions, you can opt to just run the add-ons.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hazedav: That absolutely solved my question. Thanks, however, now I'm hitting a new problem. I had Splunk for Cisco Firewalls and Splunk for Cisco IPS apps already installed. Upon trying to install the Suite again I had this error during setup:
Your entry was not saved. The following error was reported: Invalid JSON:
{"status": "OK", "msg": "Successfully updated \"Splunk_CiscoSecuritySuite\". ", "redirect": ""} .
And when I navigate to the app itself in Splunk to see the cool reports and graphs I get errors on each pane like:
Unable to find eventtype ironport'
Error loading file: Error loading file: /static/app/Splunk_CiscoSecuritySuite/ammap/realtime_ammap_settings.xml
Results Error: Error #2032
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have not seen this before. I would definitely get this to support@splunk.com
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yumology,
The Cisco Security Suite app provides navigation and dashboard/report components on top of data collected by the individual Cisco add-ons. Cisco Security Suite is dependent on individual Cisco add-ons such as Cisco Firewalls to bring data in and normalize it correctly. If you are not interested in the dashboards/reports provided by the Suite and just want to leverage things like eventtypes and field extractions, you can opt to just run the add-ons.
Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...
Preparing your Splunk Environment for OpenSSL3
Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector
