All Apps and Add-ons

Unable to see Cisco firewall events in Cisco Security Suite

New Member

I am trialing Splunk 6.4.2 on a single instance Centos 7 server and am having some issues with viewing any events in the "firewall event search" view. Investigation has found that I do not have any data with eventtype=cisco-firewall that is required for these views. I have checked the Cisco ASA add-on and that is populating plenty of data with sourcetype=cisco:asa, however none of it is being marked as the correct event type. I have checked the Security Suite eventtype.conf file and that appears to be correct. Is it possible that it is conflicting with another app/add-on?

For data with sourcetype=cisco:asa I have the following event types:

In addition to Cisco Security Suite I am running:
Cisco AnyConnect NVM
Cisco Networks add-on
Cisco Networks App
Cisco Add-on for ASA
Cisco Add-on for ESA
Cisco Add-on for ISE
Cisco App for ISE

Any assistance would be greatly appreciated

0 Karma

New Member

Hi Bwooden,
Thanks for the reply and assistance. To answer your questions, I am running the latest versions of all software, so CSS 3.1.2 and ASA add-on 3.2.6.
Since posting the question I have however been able to resolve the issue. It turns out the problem was with the syslog data being sent from the ASA. The ASA was configured to only send logs of severity level "warning" or above (logging trap warning). After changing it to "logging trap debugging" I am now receiving data with eventtype=cisco-firewall and the dashboard views are being populated. I haven't tried it yet, but possibly an ASA severity logging level of "informational" may also populate the data.

0 Karma

Splunk Employee
Splunk Employee

Great! Thank you for the update.

0 Karma

Splunk Employee
Splunk Employee

Hi crbrown68. A bit more information may help troubleshoot this issue.

1) What version of Cisco Security Suite you're presently using?
2) What version of the ASA Add-on are you presently using?

3) What is the output of this command in your Splunk environment?

$SPLUNK_HOME/bin/splunk btool --debug eventtypes list cisco-firewall
0 Karma
Get Updates on the Splunk Community!

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...