I am trialing Splunk 6.4.2 on a single instance Centos 7 server and am having some issues with viewing any events in the "firewall event search" view. Investigation has found that I do not have any data with eventtype=cisco-firewall that is required for these views. I have checked the Cisco ASA add-on and that is populating plenty of data with sourcetype=cisco:asa, however none of it is being marked as the correct event type. I have checked the Security Suite eventtype.conf file and that appears to be correct. Is it possible that it is conflicting with another app/add-on?
For data with sourcetype=cisco:asa I have the following event types:
cisco_connection
cisco_vpn
cisco_authentication
cisco_vpn_end
cisco_vpn_start
In addition to Cisco Security Suite I am running:
Cisco AnyConnect NVM
Cisco Networks add-on
Cisco Networks App
Cisco Add-on for ASA
Cisco Add-on for ESA
Cisco Add-on for ISE
Cisco App for ISE
Any assistance would be greatly appreciated
Hi Bwooden,
Thanks for the reply and assistance. To answer your questions, I am running the latest versions of all software, so CSS 3.1.2 and ASA add-on 3.2.6.
Since posting the question I have however been able to resolve the issue. It turns out the problem was with the syslog data being sent from the ASA. The ASA was configured to only send logs of severity level "warning" or above (logging trap warning). After changing it to "logging trap debugging" I am now receiving data with eventtype=cisco-firewall and the dashboard views are being populated. I haven't tried it yet, but possibly an ASA severity logging level of "informational" may also populate the data.
Great! Thank you for the update.
Hi crbrown68. A bit more information may help troubleshoot this issue.
1) What version of Cisco Security Suite you're presently using?
2) What version of the ASA Add-on are you presently using?
3) What is the output of this command in your Splunk environment?
$SPLUNK_HOME/bin/splunk btool --debug eventtypes list cisco-firewall