I have recently set up CIsco Security suite and I'm confused as to what happened in the setup. I have an ASA firewall sending data to splunk. During the setup, it asked which type of firewall logs were being used, I selected ASA (triple checked). I see that I have files coming in from the ASA (using the search app) but are not coming in on the dashboard. When I hover over the yellow ! I see that it is looking for eventtype: cisco_esa_authentication, esa_email and esa_proxy. Did I miss a step? It seemed pretty straight forward. I do not have the esa add-on installed, but do have the asa add-on installed. Should I change the eventtype in /apps/Splunk_ciscoSecuritySuite/default/eventtypes.conf? I see the eventtype of my incoming data is cisco_connection, perhaps that is something I need to look in to as well. Please advise.
Which dashboard you are looking for ASA data?
I was using the overview dashboard. After I posted this, I realized I should've been more clear. I like the look and feel of the overview dashboard. I can see the network security/firewall event search dashboard be populated.
For example, I see the search strings used in the map. How would I get the ASA firewall data to the overview portion? Cisco-security-events is the eventtype the map is looking for. Am I looking for a way that the eventtype is changed or am I needing to change what eventtype the map is looking for?