All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Problems with Cisco Security Suite not parsing fields correctly.

yumology
Path Finder
‎04-22-2011 10:06 AM

I am running 4.2 build 96430. I have Cisco Security Suite 1.0.0 installed as an App.

I am sending a lot of Cisco ASA and PIX firewall data to Splunk. The hosts are showing up and the sourcetype is cisco_syslog, but it does not parse any of the fields correctly. For instance, I can't search on src_ip or eventtype=firewall-deny.

I have found that a workaround to this is to uninstall the Suite and install the individual packages within it, like Splunk for Cisco Firewalls. Can someone tell me how to get the Suite working?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hazekamp
Builder
‎04-22-2011 10:24 AM

yumology,

The Cisco Security Suite app provides navigation and dashboard/report components on top of data collected by the individual Cisco add-ons. Cisco Security Suite is dependent on individual Cisco add-ons such as Cisco Firewalls to bring data in and normalize it correctly. If you are not interested in the dashboards/reports provided by the Suite and just want to leverage things like eventtypes and field extractions, you can opt to just run the add-ons.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yumology
Path Finder
‎04-22-2011 10:49 AM

Hazedav: That absolutely solved my question. Thanks, however, now I'm hitting a new problem. I had Splunk for Cisco Firewalls and Splunk for Cisco IPS apps already installed. Upon trying to install the Suite again I had this error during setup:

Your entry was not saved. The following error was reported: Invalid JSON:




{"status": "OK", "msg": "Successfully updated \"Splunk_CiscoSecuritySuite\". ", "redirect": ""} .

And when I navigate to the app itself in Splunk to see the cool reports and graphs I get errors on each pane like:

Unable to find eventtype ironport'

Error loading file: Error loading file: /static/app/Splunk_CiscoSecuritySuite/ammap/realtime_ammap_settings.xml

Results Error: Error #2032

0 Karma
Reply
Solved! Jump to solution

hazekamp
Builder
‎04-22-2011 10:58 AM

I have not seen this before. I would definitely get this to support@splunk.com

0 Karma
Reply
Solved! Jump to solution
Solution

hazekamp
Builder
‎04-22-2011 10:24 AM

yumology,

The Cisco Security Suite app provides navigation and dashboard/report components on top of data collected by the individual Cisco add-ons. Cisco Security Suite is dependent on individual Cisco add-ons such as Cisco Firewalls to bring data in and normalize it correctly. If you are not interested in the dashboards/reports provided by the Suite and just want to leverage things like eventtypes and field extractions, you can opt to just run the add-ons.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top