All Apps and Add-ons

cisco firewall add on data in index but no data in dashboard

Contributor

I have installed Cisco security suite and the Cisco firewall add on

Configured my firewall to send syslog event to splunk

configured splunk to listen on upd port 514 and setup to iocming data go to to an index called firewall with sourcetype setup as cisco_asa via input.conf file defined under the local dir of the firewall apps.

[udp://x.x.x.x:514]
disabled = false
sourcetype = cisco_asa
index = firewall

Slpunk is definitely collecting firewall logs. If I search index=firewall, I can see all data. It also shows me 4 eventtypes, one being cisco_firewall.

However, if I search eventtype=cisco_firewall, or sourcetype=cisco_asa nothing comes up, 0 result found.

No wonder that dashboard is empty.

Any idea, what I might be doing wrong?

1 Solution

Motivator

If you have not given the user account access to search the firewall index by default, and the firewall index is not literally called out in the search string... you will not get any results back. You may also find that the dashboard relies on saved searches and summary indexes which may not have yet populated.

View solution in original post

Contributor

I have tried to remove sourcetype = cisco_asa from inputs.conf file (as mentioned in the apps wiki pages that we really don't need to define a sourcetype, it automatically detects %ASA and assigns cisco_firewall eventtype) and it does now show up only one eventtype when I search index=firewall, which is cisco_firewall and is correct.

However, search with eventtype=cisco_firewall still returns 0 result and hence the empty dashboard in apps.

I have no clue

0 Karma

Motivator

If you have not given the user account access to search the firewall index by default, and the firewall index is not literally called out in the search string... you will not get any results back. You may also find that the dashboard relies on saved searches and summary indexes which may not have yet populated.

View solution in original post

Contributor

yes, it worked!
Thank you.

0 Karma

Motivator

Settings>Access Controls>Roles>Admin>Indexes Searched by Default - Add "All non-internal indexes

Does that help?

0 Karma

Contributor

I am trying this as the admin account.
What I have noticed that if I use index=firewall and eventype=cisco_firewall it returns the correct output. However, all the dashboard built in into the apps uses eventype as the search criteria.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!