Hi, I have the Cisco ASA TA installed and things look great on my Enterprise Security search head when I search for the logs in the Search and Reporting app. But when I select ES and go to search in ES the logs are not extracted. I think this is why they are also not populating the network datamodel. The tags are all in place when I look at the logs in Search and Reporting, but nothing is coming into ES parsed, or into the network datamodel. I'm using verbose mode in both apps. Thanks!
Thanks for your help dflodstrom, I was able to fix it. For some reason the cisco-asa TA was missing in the /opt/splunk/etc/apps/Splunk_SA_CIM/metadata/local/meta file. I added it and everything is working and my datamodel is building.
Thanks for your help dflodstrom, I was able to fix it. For some reason the cisco-asa TA was missing in the /opt/splunk/etc/apps/Splunk_SA_CIM/metadata/local/meta file. I added it and everything is working and my datamodel is building.
That is definitely strange. Glad you got it working!
Looks like the reason why is because these settings in local/inputs.conf under the ESS app were disabled.
[app_imports_update://update_es]
disabled = 1
[app_imports_update://update_es_da]
disabled = 1
[app_imports_update://update_es_main]
disabled = 1
Thanks again for your help!
I checked the sharing for the ASA TA and it's set to "all apps". one thing I noticed is when I go on my ES SH and go to tags, under Search and Reporting app the tags are different than under Enterprise Security app. Same with eventttypes. So it looks like somehow the objects aren't getting shared across the apps. I removed the ASA app and reinstalled and still the same thing...
On the app imports update screen only sideview_utils are exclused and for inclusion only DA_ESS_PCICompliance and DA-ESS_contentupdate are showing...
Thanks for your help!
What tags do you see? For these logs you should see: network, communicate, session, vpn, start, end, and probably a few others. Is any of the field extraction happening in your ES search?
I see all of those tags when I do a search in Search and Reporting on the ES SH. But when I'm in the ES app and do a search none of the tags are there.
In Settings > Tags if I select Search and Reporting in the dropdown I see all of those tags. But when I select ES in the dropdown selector, I don't see any of those tags. Almost like they didn't make it over from the S&R app for some reason.
and in app imports the "Application Regular Expression" still includes Splunk_[ST]A_.* right?
Have you tried restarting Splunk or issuing a debug/refresh since applying any of these changes?
Yes
(appsbrowser)|(phantom)|(search)|([ST]A-.)|(Splunk_[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.)
and I did restart Splunk with no luck.
Make sure the permissions for Splunk_TA_cisco-asa are set to share KOs from it globally and that the app import configuration in ES hasn't be modified to somehow exclude that particular TA. By default I believe that app will be imported by name but depending on your version of ES may not be imported automatically because of permissions issues.
Thanks, I'm looking and I don't see anything set incorrectly. But can you be more specific as to where to make sure it can share KO's globally and where to find the app import configuration? I've gone through all of the individual objects and they are set to all apps. Is that what you mean?
Thanks!
You're on the right path. One thing to check is Apps>Manage Apps and under "Sharing" for Splunk Add-on for Cisco ASA make sure it is set to global. I believe this takes precedence over the permissions for each knowledge object inside of the app.
For the app import navigate to ES and then Configure>General>App Import Update (may vary slightly by version). I don't think that will be your issue since the default regexes include Splunk patterns to match Splunk_TA*.
Since its not working in ES or CIM I hope its just a top level permission issue for you.