Are there default configuration files that you can share so that the data gets populated in the default reports/dashboard tiles once we inject cisco ASA/PIX/FWSM/IPS/ironport(web) data?
I need info on how to configure the files listed below so that the various firewall/ironport(web)dashboards & report data for the cisco security app get populated.
[root@splunk default]# ls -ltr
total 44
-rw-------. 1 root root 44 Jan 16 13:40 transforms.conf
-rw-------. 1 root root 18310 Jan 16 13:40 savedsearches.conf
-rw-------. 1 root root 59 Jan 16 13:40 props.conf
-r--------. 1 root root 0 Jan 16 13:40 eventtypes.conf
drwx--x--x. 3 root root 4096 Jan 16 13:40 data
-r--------. 1 root root 315 Jan 16 13:40 viewstates.conf
-r--------. 1 root root 61 Jan 16 13:40 macros.conf
-rw-------. 1 root root 546 Jan 16 13:40 app.conf
In order for WSA to work with the Cisco Security Suite, you need to copy the TA-cisco-wsa and SA-cisco-wsa directories to $SPLUNK_HOME/etc/apps. Your directory structure should look like this when finished:
$SPLUNK_HOME/etc/apps/SA-cisco-wsa
$SPLUNK_HOME/etc/apps/Splunk_CiscoSecuritySuite
$SPLUNK_HOME/etc/apps/TA-cisco-wsa
The TA-cisco-wsa and SA-cisco-wsa directories are located in Splunk_CiscoSecuritySuite/appserver/addons