Archive

Splunk security suite installation

Path Finder

Hey there,

I need some help with the Cisco Security suite. we are running a distributed environment which consists of 1 X master, 1x serach head and two indexers. The app was installed using the WEB ui by my predecessor along with the SA and TA. Our ASA is directed to one of the indexres via syslog UDP 514 and I can search this fine. The dashboard was showing no data so I followed a ton of KB articles and made changes as suggested I even installed the TA on both indexers however after rebooting I just got a bunch of errors. I ended up just uninstalling all the components completely. my question is what is the correct installation procedure in a distributed environment such as mine? all the documents say install it in $Splunkhome..., etc but not on what servers it is required. Do I simply need to install on the search head and copy the apps to the apps directory and that is it or is it required on the indexers also?

Any help is appreciated.

Tags (1)
0 Karma

Path Finder

I will indeed, thanks again.

0 Karma

Path Finder

Do you share the solution when you have it working again?

0 Karma

Path Finder

You can find your SA in Splunk_CiscoSecuritySuite/appserver/addons
You have to copy the desired SA directory to $SPLUNK-HOME/etc/apps
This will enable the SA asa dashboard in the SecuritySuite dashboard

0 Karma

Path Finder

Thanks,

I will install fresh with the most recent version on the search head. I have downloaded the Cisco Security Suite and the splunk add on for ASA, when I extract it it is listed as Splunk_TA_cisco_asa. is there an additional component (SA)? I can't see that on the site.

0 Karma

Path Finder

Standard files from your app:

SA-cisco-asa/default/eventtypes.conf:search = (sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm")

SA-cisco-asa/default/props.conf:[cisco:asa]

Splunk_CiscoSecuritySuite/lookups/cisco_device_info.csv:cisco:asa,cisco:asa,Firewall,network,Cisco,ASA,Adaptive Security Appliance

Splunk_TA_cisco-asa/default/eventgen.conf:sourcetype=cisco:asa

Splunk_TA_cisco-asa/default/eventtypes.conf:search = (sourcetype="cisco:asa" OR sourcetype="cisco:pix") message_id="4000*"

Splunk_TA_cisco-asa/default/props.conf:sourcetype = cisco:asa
Splunk_TA_cisco-asa/default/props.conf:[cisco:asa]

Splunk_TA_cisco-asa/default/transforms.conf:FORMAT = sourcetype::cisco:asa

Splunk_TA_cisco-asa/lookups/cisco_asa_ids_lookup.csv:cisco:asa,network

Our inputfiles from our UFW:

WG-CINP010_il_netwerk_fwdsyslog/default/inputs.conf:sourcetype = cisco:asa
WG-CINP010_il_netwerk_fwdsyslog/default/inputs.conf:sourcetype = cisco:asa

0 Karma

Path Finder

Is the sourcetype located in the props.conf file within the main app or under the TA/ SA?

0 Karma

Path Finder

Of course you can check within your dashboard the search that has been done and failed.

0 Karma

Path Finder

Another remark. Check your sourcetype! So far I know it has been changed from cisco-asa ? to cisco:asa

0 Karma

Path Finder

Hi frmassdam,

Thanks for the reply. This is the original configuration that I had but the dashboard didn't show any data.

0 Karma

Path Finder

You have to install the Suite, your TA's and SA on the search head.
You also have to install your SA's (yust copy that part from your Suite app directory) as separate apps in $SPLUNK-HOME/etc/apps/

0 Karma