All Apps and Add-ons

Why am I getting an unresponsive setup screen trying to install Cisco Security Suite on Splunk 6.3?

Splunk Employee
Splunk Employee

I tried installing Cisco Security Suite on Splunk 6.3, but having a problem with an unresponsive setup screen. Has anybody seen something similar?

Thanks.

Communicator

Have you tried edit your file app.conf?
is_configured = true

0 Karma

Communicator

I have the same problem with the Cisco Security Suite App. I have tried it on Splunk 6.3.2 using a Windows 2012 R2 install and a Linux install and both time out. It doesn't matter. I agree that it is an issue with compatibility with 6.3. So until then I use the SYNACKTEK Dropped Traffic Dashboard App to give me some kind of insight to what's happening on the network and if there are access attempts into the network from the outside the intrusion prevention stops or if the firewall is blocking attempts.

0 Karma

Communicator

We're in the same situation but I discovered that the unresponsive/timeout on the setup screen only occurs when the app is accessed by an account that has the Splunk admin role. Using a user account that only has access to just this app and nothing else appears to work (the user is getting other errors that we're still investigating but don't appear related)

So the questions now are: What is it about the admin role that triggers this "setup" screen? Can it be bypassed or manually configured somewhere else?

Communicator

Same problem here.
What did you do to repair the problem?

0 Karma

Communicator

I finally got around to trying this. I logged in with a non-admin and I can see the dashboard without any issues. Now I am stuck with:

Eventtype 'ciscoesaauthentication' does not exist or is disabled.
Eventtype 'ciscoesaemail' does not exist or is disabled.
Eventtype 'ciscoesaproxy' does not exist or is disabled.

I have modified the Cisco Security Suite Eventtypes by adding in the disabled = 1 or 0 and I still get the same eventtype.

I'm at a loss at what to do next.

0 Karma

Builder

I have the same experience with Splunk 6.3.3 and Cisco Enterprise Security 3.1.1. Logging in with non-admin user works fine. When I try with a user in an admin role, I am prompted to the app setup page. When I click the button, there is a delay of ~30s and then I get these errors (I intentionally obfuscated the username in the path):

Splunk could not perform action for resource apps/local/SplunkCiscoSecuritySuite Splunkd daemon is not responding: ("Error connecting to /servicesNS/username/SplunkCiscoSecuritySuite/apps/local/Splunk_CiscoSecuritySuite/setup: ('The read operation timed out',)",)

There was an error retrieving the configuration, can not process this page.

Path Finder

Have you tried increasing your splunkdConnectionTimeout in the web.conf file - etc/system/local/web.conf? I had a similar issue when running this on my local test instance running 6.3.2. I'm using: splunkdConnectionTimeout = 1400

Explorer

Thanks for the suggestion. I'd read similarly elsewhere and it looks like I have that set to 1200 on my Search Head. I'm thinking bumping it to 1400 probably won't have too much of an effect if it's already choking.

0 Karma

Explorer

I'm getting the same thing on Splunk 6.2.6. When opening the app after installation I get the screen:

The "Cisco Security Suite" app has not been fully configured yet.

This app has configuration properties that can be customized for this Splunk instance. Depending on the app, these properties may or may not be required.

When I click on the "Continue to app setup page" button the browser window sits there for an indefinite period of time and the app never completes setup.

0 Karma

Communicator

Same thing happens in my environment, I'm guessing it's not completely compatible w/ 6.3. When I click help/Setup, eventually I get the message

Splunk could not perform action for resource apps/local/Splunk_CiscoSecuritySuite Splunkd daemon is not responding: ("Error connecting to /servicesNS/manderson/Splunk_CiscoSecuritySuite/apps/local/Splunk_CiscoSecuritySuite/setup: ('The read operation timed out',)",)

Builder

Me too, comment above.

0 Karma

Path Finder

Hi,
Which version of Cisco Security Suite have you installed? I have configured Cisco Security Suite 3.1.1 on Splunk 6.3.1 and it seems OK in most of it, apart from cisco IPS app which is not functioning, and there is a case opened in Splunk for that (ADDON-6014) and some warning signs:

Eventtype 'ciscoesaauthentication' does not exist or is disabled.
Eventtype 'ciscoesaemail' does not exist or is disabled.
Eventtype 'ciscoesaproxy' does not exist or is disabled.

for the above I simply disabled the Eventtype cisco-esa and the warning signs were gone.

Maybe a simple thing worth trying, try the installation using different Internet Browsers? I've sometimes had issues with IE, and now tend to use Firefox to configure stuff over the web.
Cheers,
I

Builder

I wanted to chime in that disabling the eventtype also fixed my warnings. As a new Splunk user, I wasn't aware that you could disable eventtypes. Thanks for posting.

0 Karma