I installed Cisco Security Suite (3.1.1) on Splunk Enterprise 6.4.1, and when I try to set it up by going to app management > set up (under Actions of Cisco Security Suite), I get a 404 error:
I have installed all the required add-ons and restarted Splunk and checked all other aspects of it. However, I did not set up the Firesight, IPS, or ISE add-ons as I do not have those appliances in my infrastructure and I just wanted to run through the setup process as a trial before I do it in production.
Any idea why this is?
I received this error on a 6.5.2 Splunk Server where the default management port had been changed. After setting the management port back to 8089 the app worked as expected. I suspect somewhere in the app there is something hard coded that should not be which causes this issue.
webui——settings——show all settings
The setup assumes that you have very little data in your Splunk environment - and does a 'open' search against your default indexes for any of the sourcetypes it's looking for - in a large environment, these searches will take longer than the timeout (hence the suggestions to increase the time out in the answers above).
If you are in a large environment, I would highly recommend directly editing Splunk_CiscoSecuritySuite/bin/css_setup_handler.py to make the searches a little more restrictive (e.g. add in an index clause to help setup find what its looking for, or simply pull all the searches and set the flags directly (e.g. alter the lines looking like info['asa_count'] = 0
to = 1
instead where a feature should be installed).
Also note that the app does not appear to be SHC compliant - so the setup needs to be run on each node.
you're the only person that gave this explanation. everyone else just suggested increasing the splunkdConnectionTimeout in web.conf.
i commented out the searches for the sourcetypes that i don't care about and added the relevant index to the sourcetype(s) i do care about and that worked like a charm.
thank you!
I received this error on a 6.5.2 Splunk Server where the default management port had been changed. After setting the management port back to 8089 the app worked as expected. I suspect somewhere in the app there is something hard coded that should not be which causes this issue.
Hi nhdpotter,
This was the case with me as well. As soon as I changed the management port back to 8089 it worked 🙂
Thanks for the reply.
Note: I'm the same guy who posted the question. But for some internal unknown account/identity screw up I lost access to my account and had to create this new one; lost all history from answers.splunk.com.
how to change the management port to 8089?...Please help,
As I received the same error.
Hi madura.eleperuma,
there is a new version 3.1.2 at https://splunkbase.splunk.com/app/525/ and it works just fine on Splunk 6.4.2.
Hope this helps ...
cheers, MuS
I upgraded to 3.1.2 on Splunk Enterprise 6.4.1 and still it's the same. I don't think upgrading Splunk to just one minor version would result in a big difference.
Anyone had success with setting up the latest version of Cisco Security Suite on Splunk 6.4.x?
What happens if you adapt this link to your server name
http://YourSplunkServerNameHere:Port/en-US/manager/Splunk_CiscoSecuritySuite/apps/local/Splunk_Cisco...
and try it? Looking at your posted error you were accessing /manager/search/apps/local?search=cisco&count=25....
the rest is missing but this would indicate a search within the Splunk Apps UI. Even when doing this here http://MySplunkServerNameHere:8000/en-US/manager/search/apps/local?search=cisco&count=25
and clicking on Set up
works perfect.
Check your splunkd.log
and the web_access.log
what is happening if you try to set ups the app.
cheers, MuS
Hi
Change the following line in /opt/splunk/etc/system/local/web.conf
"#default timeout, in seconds, when communicating with splunkd"
splunkdConnectionTimeout = 1400
I tried this, but still the same 😞
splunkdConnectionTimeout = 1200 worked for me.