All Apps and Add-ons

Why am I getting a 404 error when I try to set up Cisco Security Suite 3.1.1 in Splunk Enterprise 6.4.1?

I installed Cisco Security Suite (3.1.1) on Splunk Enterprise 6.4.1, and when I try to set it up by going to app management > set up (under Actions of Cisco Security Suite), I get a 404 error:

alt text

I have installed all the required add-ons and restarted Splunk and checked all other aspects of it. However, I did not set up the Firesight, IPS, or ISE add-ons as I do not have those appliances in my infrastructure and I just wanted to run through the setup process as a trial before I do it in production.

Any idea why this is?

1 Solution

Explorer

I received this error on a 6.5.2 Splunk Server where the default management port had been changed. After setting the management port back to 8089 the app worked as expected. I suspect somewhere in the app there is something hard coded that should not be which causes this issue.

View solution in original post

Communicator

webui——settings——show all settings

0 Karma

Path Finder

The setup assumes that you have very little data in your Splunk environment - and does a 'open' search against your default indexes for any of the sourcetypes it's looking for - in a large environment, these searches will take longer than the timeout (hence the suggestions to increase the time out in the answers above).

If you are in a large environment, I would highly recommend directly editing Splunk_CiscoSecuritySuite/bin/css_setup_handler.py to make the searches a little more restrictive (e.g. add in an index clause to help setup find what its looking for, or simply pull all the searches and set the flags directly (e.g. alter the lines looking like info['asa_count'] = 0 to = 1 instead where a feature should be installed).

Also note that the app does not appear to be SHC compliant - so the setup needs to be run on each node.

0 Karma

Explorer

you're the only person that gave this explanation. everyone else just suggested increasing the splunkdConnectionTimeout in web.conf.

i commented out the searches for the sourcetypes that i don't care about and added the relevant index to the sourcetype(s) i do care about and that worked like a charm.

thank you!

0 Karma

Explorer

I received this error on a 6.5.2 Splunk Server where the default management port had been changed. After setting the management port back to 8089 the app worked as expected. I suspect somewhere in the app there is something hard coded that should not be which causes this issue.

View solution in original post

Explorer

Hi nhdpotter,

This was the case with me as well. As soon as I changed the management port back to 8089 it worked 🙂

Thanks for the reply.

Note: I'm the same guy who posted the question. But for some internal unknown account/identity screw up I lost access to my account and had to create this new one; lost all history from answers.splunk.com.

Explorer

how to change the management port to 8089?...Please help,
As I received the same error.

0 Karma

SplunkTrust
SplunkTrust

Hi madura.eleperuma,

there is a new version 3.1.2 at https://splunkbase.splunk.com/app/525/ and it works just fine on Splunk 6.4.2.

Hope this helps ...

cheers, MuS

I upgraded to 3.1.2 on Splunk Enterprise 6.4.1 and still it's the same. I don't think upgrading Splunk to just one minor version would result in a big difference.

Anyone had success with setting up the latest version of Cisco Security Suite on Splunk 6.4.x?

0 Karma

SplunkTrust
SplunkTrust

What happens if you adapt this link to your server name

http://YourSplunkServerNameHere:Port/en-US/manager/Splunk_CiscoSecuritySuite/apps/local/Splunk_Cisco...

and try it? Looking at your posted error you were accessing /manager/search/apps/local?search=cisco&count=25.... the rest is missing but this would indicate a search within the Splunk Apps UI. Even when doing this here http://MySplunkServerNameHere:8000/en-US/manager/search/apps/local?search=cisco&count=25 and clicking on Set up works perfect.

Check your splunkd.log and the web_access.log what is happening if you try to set ups the app.

cheers, MuS

0 Karma

Contributor

Hi

Change the following line in /opt/splunk/etc/system/local/web.conf

"#default timeout, in seconds, when communicating with splunkd"
splunkdConnectionTimeout = 1400

I tried this, but still the same 😞

0 Karma

Communicator

splunkdConnectionTimeout = 1200 worked for me.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!