Hey there,
I need some help with the Cisco Security suite. we are running a distributed environment which consists of 1 X master, 1x serach head and two indexers. The app was installed using the WEB ui by my predecessor along with the SA and TA. Our ASA is directed to one of the indexres via syslog UDP 514 and I can search this fine. The dashboard was showing no data so I followed a ton of KB articles and made changes as suggested I even installed the TA on both indexers however after rebooting I just got a bunch of errors. I ended up just uninstalling all the components completely. my question is what is the correct installation procedure in a distributed environment such as mine? all the documents say install it in $Splunkhome..., etc but not on what servers it is required. Do I simply need to install on the search head and copy the apps to the apps directory and that is it or is it required on the indexers also?
Any help is appreciated.
I will indeed, thanks again.
Do you share the solution when you have it working again?
You can find your SA in Splunk_CiscoSecuritySuite/appserver/addons
You have to copy the desired SA directory to $SPLUNK-HOME/etc/apps
This will enable the SA asa dashboard in the SecuritySuite dashboard
Thanks,
I will install fresh with the most recent version on the search head. I have downloaded the Cisco Security Suite and the splunk add on for ASA, when I extract it it is listed as Splunk_TA_cisco_asa. is there an additional component (SA)? I can't see that on the site.
Standard files from your app:
SA-cisco-asa/default/eventtypes.conf:search = (sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm")
SA-cisco-asa/default/props.conf:[cisco:asa]
Splunk_CiscoSecuritySuite/lookups/cisco_device_info.csv:cisco:asa,cisco:asa,Firewall,network,Cisco,ASA,Adaptive Security Appliance
Splunk_TA_cisco-asa/default/eventgen.conf:sourcetype=cisco:asa
Splunk_TA_cisco-asa/default/eventtypes.conf:search = (sourcetype="cisco:asa" OR sourcetype="cisco:pix") message_id="4000*"
Splunk_TA_cisco-asa/default/props.conf:sourcetype = cisco:asa
Splunk_TA_cisco-asa/default/props.conf:[cisco:asa]
Splunk_TA_cisco-asa/default/transforms.conf:FORMAT = sourcetype::cisco:asa
Splunk_TA_cisco-asa/lookups/cisco_asa_ids_lookup.csv:cisco:asa,network
Our inputfiles from our UFW:
WG-CINP010_il_netwerk_fwdsyslog/default/inputs.conf:sourcetype = cisco:asa
WG-CINP010_il_netwerk_fwdsyslog/default/inputs.conf:sourcetype = cisco:asa
Is the sourcetype located in the props.conf file within the main app or under the TA/ SA?
Of course you can check within your dashboard the search that has been done and failed.
Another remark. Check your sourcetype! So far I know it has been changed from cisco-asa ? to cisco:asa
Hi frmassdam,
Thanks for the reply. This is the original configuration that I had but the dashboard didn't show any data.
You have to install the Suite, your TA's and SA on the search head.
You also have to install your SA's (yust copy that part from your Suite app directory) as separate apps in $SPLUNK-HOME/etc/apps/