All Apps and Add-ons

Why am I getting a 404 error when I try to set up Cisco Security Suite 3.1.1 in Splunk Enterprise 6.4.1?

madura_eleperum
Explorer

I installed Cisco Security Suite (3.1.1) on Splunk Enterprise 6.4.1, and when I try to set it up by going to app management > set up (under Actions of Cisco Security Suite), I get a 404 error:

alt text

I have installed all the required add-ons and restarted Splunk and checked all other aspects of it. However, I did not set up the Firesight, IPS, or ISE add-ons as I do not have those appliances in my infrastructure and I just wanted to run through the setup process as a trial before I do it in production.

Any idea why this is?

1 Solution

nhdpotter
Explorer

I received this error on a 6.5.2 Splunk Server where the default management port had been changed. After setting the management port back to 8089 the app worked as expected. I suspect somewhere in the app there is something hard coded that should not be which causes this issue.

View solution in original post

xsstest
Communicator

webui——settings——show all settings

0 Karma

jimmoriarty
Path Finder

The setup assumes that you have very little data in your Splunk environment - and does a 'open' search against your default indexes for any of the sourcetypes it's looking for - in a large environment, these searches will take longer than the timeout (hence the suggestions to increase the time out in the answers above).

If you are in a large environment, I would highly recommend directly editing Splunk_CiscoSecuritySuite/bin/css_setup_handler.py to make the searches a little more restrictive (e.g. add in an index clause to help setup find what its looking for, or simply pull all the searches and set the flags directly (e.g. alter the lines looking like info['asa_count'] = 0 to = 1 instead where a feature should be installed).

Also note that the app does not appear to be SHC compliant - so the setup needs to be run on each node.

0 Karma

dfqobvbkmnpi
Explorer

you're the only person that gave this explanation. everyone else just suggested increasing the splunkdConnectionTimeout in web.conf.

i commented out the searches for the sourcetypes that i don't care about and added the relevant index to the sourcetype(s) i do care about and that worked like a charm.

thank you!

0 Karma

nhdpotter
Explorer

I received this error on a 6.5.2 Splunk Server where the default management port had been changed. After setting the management port back to 8089 the app worked as expected. I suspect somewhere in the app there is something hard coded that should not be which causes this issue.

meleperuma
Explorer

Hi nhdpotter,

This was the case with me as well. As soon as I changed the management port back to 8089 it worked 🙂

Thanks for the reply.

Note: I'm the same guy who posted the question. But for some internal unknown account/identity screw up I lost access to my account and had to create this new one; lost all history from answers.splunk.com.

Amulya888
Explorer

how to change the management port to 8089?...Please help,
As I received the same error.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi madura.eleperuma,

there is a new version 3.1.2 at https://splunkbase.splunk.com/app/525/ and it works just fine on Splunk 6.4.2.

Hope this helps ...

cheers, MuS

madura_eleperum
Explorer

I upgraded to 3.1.2 on Splunk Enterprise 6.4.1 and still it's the same. I don't think upgrading Splunk to just one minor version would result in a big difference.

Anyone had success with setting up the latest version of Cisco Security Suite on Splunk 6.4.x?

0 Karma

MuS
SplunkTrust
SplunkTrust

What happens if you adapt this link to your server name

http://YourSplunkServerNameHere:Port/en-US/manager/Splunk_CiscoSecuritySuite/apps/local/Splunk_Cisco...

and try it? Looking at your posted error you were accessing /manager/search/apps/local?search=cisco&count=25.... the rest is missing but this would indicate a search within the Splunk Apps UI. Even when doing this here http://MySplunkServerNameHere:8000/en-US/manager/search/apps/local?search=cisco&count=25 and clicking on Set up works perfect.

Check your splunkd.log and the web_access.log what is happening if you try to set ups the app.

cheers, MuS

0 Karma

klaxdal
Contributor

Hi

Change the following line in /opt/splunk/etc/system/local/web.conf

"#default timeout, in seconds, when communicating with splunkd"
splunkdConnectionTimeout = 1400

madura_eleperum
Explorer

I tried this, but still the same 😞

0 Karma

Rob2520
Communicator

splunkdConnectionTimeout = 1200 worked for me.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...