The website tells me to check inside the app. I've downloaded the app, but the only readme file I can find (when I download the app to my drive, unzip it, and open the folder) is ages old. Where is the documentation?
Excellent question, Dimitri. Disregard the readme file in the root of the app. To get to the proper documentation, you'll have to INSTALL the app into Splunk, and then when you open the app while in the Splunk UI, you can find the "getting started" documentation there. I've posted the "getting started" bits below, though this may change as the app is updated. Also, you can find additional documentation if you drill into the /etc/apps/Splunk_CiscoSecurity/appserver/addons then under either TA-cisco-WSA, SA-cisco-asa or SA-cisco-wsa you'll find the readme.txt that outlines the different add-ons.
Getting Started
Welcome to the Cisco Security Suite for Splunk This application for Splunk Enterprise 6 covers Cisco Firewalls and the Web Security Appliance. Firewalls include the Cisco ASA 5500 series, FWSM 3.x and 4.x, and Cisco PIX 5.0 and higher.
This is a complete re-write of the Cisco Security Suite to take advantage of the Common Information Model (CIM) and designed to be compatible with the data models in the CIM app and Enterprise Security 3.x.
If you are upgrading, you will need to understand exactly what changes have been made to the underlying data so that you can decide how to deal with the old data. Please refer to the Upgrading page for more information.
There are two modules supplied with this suite: Cisco Firewalls Cisco WSA Web Security For each module, there are additional apps that need to be installed prior to continuing. Each module has a Technology Add-on that deals with data ingestion and knowledge management, plus a Supporting Add-on that supplies the dashboards. You can install the appropriate apps for the modules you need.
For example, if you don't need the Cisco WSA Web Security module, don't install the apps for it. Most of the supporting apps are provided with this Suite and are located in $SPLUNK_HOME/etc/apps/Splunk_CiscoSecuritySuite/appserver/addons
Copy the directories for the modules you want to enable into $SPLUNK_HOME/etc/apps and restart the server. The Technology Add-on for Cisco Firewalls is available from Splunkbase and is the same module that is used for Enterprise Security 3.
After you have installed the modules, documentation for the module configuration will appear in the Documentation menu item. After you have restarted, come back to the documentation to complete the configuration. If you want to query the Cisco Security Suite using Data Models, then download and install the Common Information Model app.
Excellent question, Dimitri. Disregard the readme file in the root of the app. To get to the proper documentation, you'll have to INSTALL the app into Splunk, and then when you open the app while in the Splunk UI, you can find the "getting started" documentation there. I've posted the "getting started" bits below, though this may change as the app is updated. Also, you can find additional documentation if you drill into the /etc/apps/Splunk_CiscoSecurity/appserver/addons then under either TA-cisco-WSA, SA-cisco-asa or SA-cisco-wsa you'll find the readme.txt that outlines the different add-ons.
Getting Started
Welcome to the Cisco Security Suite for Splunk This application for Splunk Enterprise 6 covers Cisco Firewalls and the Web Security Appliance. Firewalls include the Cisco ASA 5500 series, FWSM 3.x and 4.x, and Cisco PIX 5.0 and higher.
This is a complete re-write of the Cisco Security Suite to take advantage of the Common Information Model (CIM) and designed to be compatible with the data models in the CIM app and Enterprise Security 3.x.
If you are upgrading, you will need to understand exactly what changes have been made to the underlying data so that you can decide how to deal with the old data. Please refer to the Upgrading page for more information.
There are two modules supplied with this suite: Cisco Firewalls Cisco WSA Web Security For each module, there are additional apps that need to be installed prior to continuing. Each module has a Technology Add-on that deals with data ingestion and knowledge management, plus a Supporting Add-on that supplies the dashboards. You can install the appropriate apps for the modules you need.
For example, if you don't need the Cisco WSA Web Security module, don't install the apps for it. Most of the supporting apps are provided with this Suite and are located in $SPLUNK_HOME/etc/apps/Splunk_CiscoSecuritySuite/appserver/addons
Copy the directories for the modules you want to enable into $SPLUNK_HOME/etc/apps and restart the server. The Technology Add-on for Cisco Firewalls is available from Splunkbase and is the same module that is used for Enterprise Security 3.
After you have installed the modules, documentation for the module configuration will appear in the Documentation menu item. After you have restarted, come back to the documentation to complete the configuration. If you want to query the Cisco Security Suite using Data Models, then download and install the Common Information Model app.