Splunk Enterprise Security

Splunk Enterprise Security: Cisco ASA logs extracting in ES search- in search and reporting, but not in ES search?

tiaatim
Path Finder

Hi, I have the Cisco ASA TA installed and things look great on my Enterprise Security search head when I search for the logs in the Search and Reporting app. But when I select ES and go to search in ES the logs are not extracted. I think this is why they are also not populating the network datamodel. The tags are all in place when I look at the logs in Search and Reporting, but nothing is coming into ES parsed, or into the network datamodel. I'm using verbose mode in both apps. Thanks!

0 Karma
1 Solution

tiaatim
Path Finder

Thanks for your help dflodstrom, I was able to fix it. For some reason the cisco-asa TA was missing in the /opt/splunk/etc/apps/Splunk_SA_CIM/metadata/local/meta file. I added it and everything is working and my datamodel is building.

View solution in original post

tiaatim
Path Finder

Thanks for your help dflodstrom, I was able to fix it. For some reason the cisco-asa TA was missing in the /opt/splunk/etc/apps/Splunk_SA_CIM/metadata/local/meta file. I added it and everything is working and my datamodel is building.

dflodstrom
Builder

That is definitely strange. Glad you got it working!

0 Karma

tiaatim
Path Finder

Looks like the reason why is because these settings in local/inputs.conf under the ESS app were disabled.

[app_imports_update://update_es]
disabled = 1

[app_imports_update://update_es_da]
disabled = 1

[app_imports_update://update_es_main]
disabled = 1

Thanks again for your help!

0 Karma

tiaatim
Path Finder

I checked the sharing for the ASA TA and it's set to "all apps". one thing I noticed is when I go on my ES SH and go to tags, under Search and Reporting app the tags are different than under Enterprise Security app. Same with eventttypes. So it looks like somehow the objects aren't getting shared across the apps. I removed the ASA app and reinstalled and still the same thing...

On the app imports update screen only sideview_utils are exclused and for inclusion only DA_ESS_PCICompliance and DA-ESS_contentupdate are showing...

Thanks for your help!

0 Karma

dflodstrom
Builder

What tags do you see? For these logs you should see: network, communicate, session, vpn, start, end, and probably a few others. Is any of the field extraction happening in your ES search?

0 Karma

tiaatim
Path Finder

I see all of those tags when I do a search in Search and Reporting on the ES SH. But when I'm in the ES app and do a search none of the tags are there.

In Settings > Tags if I select Search and Reporting in the dropdown I see all of those tags. But when I select ES in the dropdown selector, I don't see any of those tags. Almost like they didn't make it over from the S&R app for some reason.

0 Karma

dflodstrom
Builder

and in app imports the "Application Regular Expression" still includes Splunk_[ST]A_.* right?

Have you tried restarting Splunk or issuing a debug/refresh since applying any of these changes?

0 Karma

tiaatim
Path Finder

Yes
(appsbrowser)|(phantom)|(search)|([ST]A-.)|(Splunk_[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.)

and I did restart Splunk with no luck.

0 Karma

dflodstrom
Builder

Make sure the permissions for Splunk_TA_cisco-asa are set to share KOs from it globally and that the app import configuration in ES hasn't be modified to somehow exclude that particular TA. By default I believe that app will be imported by name but depending on your version of ES may not be imported automatically because of permissions issues.

0 Karma

tiaatim
Path Finder

Thanks, I'm looking and I don't see anything set incorrectly. But can you be more specific as to where to make sure it can share KO's globally and where to find the app import configuration? I've gone through all of the individual objects and they are set to all apps. Is that what you mean?

Thanks!

0 Karma

dflodstrom
Builder

You're on the right path. One thing to check is Apps>Manage Apps and under "Sharing" for Splunk Add-on for Cisco ASA make sure it is set to global. I believe this takes precedence over the permissions for each knowledge object inside of the app.

For the app import navigate to ES and then Configure>General>App Import Update (may vary slightly by version). I don't think that will be your issue since the default regexes include Splunk patterns to match Splunk_TA*.

Since its not working in ES or CIM I hope its just a top level permission issue for you.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...