- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Cisco Firewall Addon - no input, no setup option i...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cisco Firewall Addon - no input, no setup option in Manager
I have the Splunk for Cisco Firewalls Addon installed, and I'm trying to get data into it. The Readme has this line in it for configuring the data inputs. (I'm using version 2.0)
"Click Manager > Apps > Cisco Firewalls > "Set up"
However, when I go there, I do not see a "Set up" option at all. These are the only options that I see:
Global | Permissions Enabled Launch app | Edit properties | View objects | View details on Splunkbase
I'm assuming that the install docs are just out of date, but I also tried doing it manually by creating inputs.conf and using the following:
[udp://2550]
disabled = false
I restarted Splunk after making that change but I am not getting any data. I have been using that port before installing the Addon and I can verify that log data is still coming into it - Splunk just isn't getting it.
What am I missing? Any insight would be appreciated. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ran into the same problem with Cisco Security Suite v2.0 and Splunk for Cisco Firewalls v2.0 (build 100490). According to the App pages, v2.0 of Cisco Apps only support Splunk versions 4 thru 5. Guess we need to wait till Splunk v6 is supported.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am having just the same issues on a Windows 7 plattform. There is no "setup" option anywhere, so I also tried to manually creates the file (C:\Program Files\Splunk\etc\apps\Splunk_CiscoFirewalls\local\inputs.conf) and used the default syslog port (udp/514). Still no joy... 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you say you edited the inputs.conf, was it the main splunk inputs configuration file or was it the inputs.conf for the cicso_firewalls app itself?
If you go to your splunk directories in program files and navigate to \splunk\etc\apps\Splunk_CiscoFirewalls\local, you will see the inputs.conf directly associated with the app. Open that and the default is [udp://514]. Change that to the port that you listed above and restart Splunk again. Since you're forwarding over 2550, the app will start to parse those logs based on the source and you should start to see results for sourcetype="cisco_asa" in your search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply!
When I say inputs.conf, I'm talking about the one for the App itself, in the \local folder. One thing I just found - I made the edits to the file, verified that they were there, and once I restarted Splunk the file is now empty. (Note, I'm running on Ubuntu).
root@splunk:/opt/splunk/etc/apps/Splunk_CiscoFirewalls/local# cat inputs.conf
[udp://2550]
disabled = false
root@splunk:/opt/splunk/etc/apps/Splunk_CiscoFirewalls/local# /opt/splunk/bin/splunk restart
(removed startup bits)
root@splunk:/opt/splunk/etc/apps/Splunk_CiscoFirewalls/local# cat inputs.conf
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
