All Apps and Add-ons

Problems with Cisco Security Suite not parsing fields correctly.

Path Finder

I am running 4.2 build 96430. I have Cisco Security Suite 1.0.0 installed as an App.

I am sending a lot of Cisco ASA and PIX firewall data to Splunk. The hosts are showing up and the sourcetype is cisco_syslog, but it does not parse any of the fields correctly. For instance, I can't search on src_ip or eventtype=firewall-deny.

I have found that a workaround to this is to uninstall the Suite and install the individual packages within it, like Splunk for Cisco Firewalls. Can someone tell me how to get the Suite working?

0 Karma
1 Solution

Builder

yumology,

The Cisco Security Suite app provides navigation and dashboard/report components on top of data collected by the individual Cisco add-ons. Cisco Security Suite is dependent on individual Cisco add-ons such as Cisco Firewalls to bring data in and normalize it correctly. If you are not interested in the dashboards/reports provided by the Suite and just want to leverage things like eventtypes and field extractions, you can opt to just run the add-ons.

View solution in original post

0 Karma

Path Finder

Hazedav: That absolutely solved my question. Thanks, however, now I'm hitting a new problem. I had Splunk for Cisco Firewalls and Splunk for Cisco IPS apps already installed. Upon trying to install the Suite again I had this error during setup:

Your entry was not saved. The following error was reported: Invalid JSON:




{"status": "OK", "msg": "Successfully updated \"Splunk_CiscoSecuritySuite\". ", "redirect": ""} .

And when I navigate to the app itself in Splunk to see the cool reports and graphs I get errors on each pane like:

Unable to find eventtype ironport'

Error loading file: Error loading file: /static/app/Splunk_CiscoSecuritySuite/ammap/realtime_ammap_settings.xml

Results Error: Error #2032

0 Karma

Builder

I have not seen this before. I would definitely get this to support@splunk.com

0 Karma

Builder

yumology,

The Cisco Security Suite app provides navigation and dashboard/report components on top of data collected by the individual Cisco add-ons. Cisco Security Suite is dependent on individual Cisco add-ons such as Cisco Firewalls to bring data in and normalize it correctly. If you are not interested in the dashboards/reports provided by the Suite and just want to leverage things like eventtypes and field extractions, you can opt to just run the add-ons.

View solution in original post

0 Karma