All Apps and Add-ons

Why is Cisco ASA syslog not showing on the Cisco Security Suite Overview dashboard with my current configuration?

feisar
Explorer

Hi,

I’m running Splunk 6.2 Enterprise on Windows Server 2012 R2 and am sending syslogs from two Cisco ASA firewalls over the default TCP port 1470. Because I don’t want to use a different port for each device that sends syslogs to Splunk, I have configured the following in order to assign the correct sourcetype and index:

Props.conf

[host::192.168.5.2]
TRANSFORMS-firewall_cisco = set_index_firewall_cisco_asa, set_sourcetype_firewall_cisco_asa

[host::192.168.6.2]
TRANSFORMS-firewall_cisco = set_index_firewall_cisco_asa, set_sourcetype_firewall_cisco_asa

Transforms.conf

[set_index_firewall_cisco_asa]
DEST_KEY = _MetaData:Index
FORMAT = firewall_cisco
REGEX = .

[set_sourcetype_firewall_cisco_asa]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::cisco:asa
REGEX = .

The firewall logs are searchable from within Spunk using an index="firewall_cisco" search, but here’s the problem:

I have installed the ‘Cisco Security Suite’ app and the ‘Splunk Add-on for Cisco ASA’, but nothing is showing up on the Cisco Security Suite Overview dashboard - and I'd like it to.

Could someone confirm that a.) my config makes sense and b.) give me a clue as to why the Cisco dashboard isn’t picking up on the collected logs?

Thanks,

0 Karma
1 Solution

jconger
Splunk Employee
Splunk Employee

Most likely your firewall_cisco index is not a default searchable index. The Cisco Security Suite will look for the cisco:asa sourcetype only in indexes that are searchable by default depending on your role. Here's how to check:

  • Click Settings -> Access controls
  • Click Roles
  • Choose a role you are a member of
  • Scroll down to "Indexes searched by default"
  • Make sure firewall_cisco is in there

View solution in original post

jconger
Splunk Employee
Splunk Employee

Most likely your firewall_cisco index is not a default searchable index. The Cisco Security Suite will look for the cisco:asa sourcetype only in indexes that are searchable by default depending on your role. Here's how to check:

  • Click Settings -> Access controls
  • Click Roles
  • Choose a role you are a member of
  • Scroll down to "Indexes searched by default"
  • Make sure firewall_cisco is in there

feisar
Explorer

Perfect!

I added it to the 'User' role and all the pretty pictures on the Cisco dash came to life.

Thank you : )

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...