All Apps and Add-ons

Why am I getting an unresponsive setup screen trying to install Cisco Security Suite on Splunk 6.3?

vvajdic
Splunk Employee
Splunk Employee

I tried installing Cisco Security Suite on Splunk 6.3, but having a problem with an unresponsive setup screen. Has anybody seen something similar?

Thanks.

monteirolopes
Communicator

Have you tried edit your file app.conf?
is_configured = true

0 Karma

molinarf
Communicator

I have the same problem with the Cisco Security Suite App. I have tried it on Splunk 6.3.2 using a Windows 2012 R2 install and a Linux install and both time out. It doesn't matter. I agree that it is an issue with compatibility with 6.3. So until then I use the SYNACKTEK Dropped Traffic Dashboard App to give me some kind of insight to what's happening on the network and if there are access attempts into the network from the outside the intrusion prevention stops or if the firewall is blocking attempts.

0 Karma

kearaspoor
SplunkTrust
SplunkTrust

We're in the same situation but I discovered that the unresponsive/timeout on the setup screen only occurs when the app is accessed by an account that has the Splunk admin role. Using a user account that only has access to just this app and nothing else appears to work (the user is getting other errors that we're still investigating but don't appear related)

So the questions now are: What is it about the admin role that triggers this "setup" screen? Can it be bypassed or manually configured somewhere else?

monteirolopes
Communicator

Same problem here.
What did you do to repair the problem?

0 Karma

molinarf
Communicator

I finally got around to trying this. I logged in with a non-admin and I can see the dashboard without any issues. Now I am stuck with:

Eventtype 'cisco_esa_authentication' does not exist or is disabled.
Eventtype 'cisco_esa_email' does not exist or is disabled.
Eventtype 'cisco_esa_proxy' does not exist or is disabled.

I have modified the Cisco Security Suite Eventtypes by adding in the disabled = 1 or 0 and I still get the same eventtype.

I'm at a loss at what to do next.

0 Karma

_smp_
Builder

I have the same experience with Splunk 6.3.3 and Cisco Enterprise Security 3.1.1. Logging in with non-admin user works fine. When I try with a user in an admin role, I am prompted to the app setup page. When I click the button, there is a delay of ~30s and then I get these errors (I intentionally obfuscated the username in the path):

Splunk could not perform action for resource apps/local/Splunk_CiscoSecuritySuite Splunkd daemon is not responding: ("Error connecting to /servicesNS/username/Splunk_CiscoSecuritySuite/apps/local/Splunk_CiscoSecuritySuite/setup: ('The read operation timed out',)",)

There was an error retrieving the configuration, can not process this page.

ppeterson
Path Finder

Have you tried increasing your splunkdConnectionTimeout in the web.conf file - etc/system/local/web.conf? I had a similar issue when running this on my local test instance running 6.3.2. I'm using: splunkdConnectionTimeout = 1400

JdeFalconr
Explorer

Thanks for the suggestion. I'd read similarly elsewhere and it looks like I have that set to 1200 on my Search Head. I'm thinking bumping it to 1400 probably won't have too much of an effect if it's already choking.

0 Karma

JdeFalconr
Explorer

I'm getting the same thing on Splunk 6.2.6. When opening the app after installation I get the screen:

The "Cisco Security Suite" app has not been fully configured yet.

This app has configuration properties that can be customized for this Splunk instance. Depending on the app, these properties may or may not be required.

When I click on the "Continue to app setup page" button the browser window sits there for an indefinite period of time and the app never completes setup.

0 Karma

banderson7
Communicator

Same thing happens in my environment, I'm guessing it's not completely compatible w/ 6.3. When I click help/Setup, eventually I get the message

Splunk could not perform action for resource apps/local/Splunk_CiscoSecuritySuite Splunkd daemon is not responding: ("Error connecting to /servicesNS/manderson/Splunk_CiscoSecuritySuite/apps/local/Splunk_CiscoSecuritySuite/setup: ('The read operation timed out',)",)

_smp_
Builder

Me too, comment above.

0 Karma

ilirb
Path Finder

Hi,
Which version of Cisco Security Suite have you installed? I have configured Cisco Security Suite 3.1.1 on Splunk 6.3.1 and it seems OK in most of it, apart from cisco IPS app which is not functioning, and there is a case opened in Splunk for that (ADDON-6014) and some warning signs:

Eventtype 'cisco_esa_authentication' does not exist or is disabled.
Eventtype 'cisco_esa_email' does not exist or is disabled.
Eventtype 'cisco_esa_proxy' does not exist or is disabled.

for the above I simply disabled the Eventtype cisco-esa and the warning signs were gone.

Maybe a simple thing worth trying, try the installation using different Internet Browsers? I've sometimes had issues with IE, and now tend to use Firefox to configure stuff over the web.
Cheers,
I

_smp_
Builder

I wanted to chime in that disabling the eventtype also fixed my warnings. As a new Splunk user, I wasn't aware that you could disable eventtypes. Thanks for posting.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...