Version 3.x of the Cisco Security Suite is not compatible with Splunk 5.x. Some things will work, but most will not. ... View more

What do you get when you run the following search? eventtype=cisco-firewall ... View more

You will need to tell Splunk to override the host field. Here's how -> http://docs.splunk.com/Documentation/Splunk/latest/Data/overridedefaulthostassignments ... View more

There are a couple of things to check. 1 - since you have a custom index, make sure that it is a searched by default. Within Splunk, click Settings -> Access controls -> Roles -> choose a role your account belongs to -> scroll to the bottom and observe the indexes searched by default. This is necessary as the Cisco Security Suite does not specify the index in the searches; rather, we rely on the index being a default searchable index. As an alternative, you can make a change to eventtypes.conf to include your custom index. All the searches in the Cisco Security Suite specify an eventtype. To do this, copy $SPLUNK_HOME/etc/apps/SA-cisco-asa/default/eventtypes.conf To $SPLUNK_HOME/etc/apps/SA-cisco-asa/local/eventtypes.conf Modify like so: [cisco-firewall] search = index=your_custom_index (sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm") 2 - since you are sending multiple types of data in on UDP, make sure that you force the sourcetype for Cisco ASA. Here is how to do this: Navigate to the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa directory. Create a new directory named local. Navigate into the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/default directory. Copy the props.conf configuration file and place it into the previously created $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local directory. Navigate into the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local directory. Open the props.conf configuration file. Remove the # (commented out markers) at the beginning of the below text in the props.conf file. ** Note: If you have the data going to a different port or protocol then make the appropriate adjustments, such as if you have cisco asa data being received on tcp port 515, then replace source::udp:514 with source::tcp:515. #[source::udp:514] #TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_\asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm Save the props.conf configuration file. Restart the Splunk Service/Daemon. ... View more

Yes, the Cisco Security Suite is compatible with Splunk 6.1. The app listing has been updated to reflect this. ... View more

Version 3.x of the Cisco Security Suite was built for Splunk 6.x. Some parts will work on Splunk 5.x, but others will not. ... View more

Very strange as those "possible typos" are all in savedsearches.conf and savedsearches.conf did not change from version 3.0.2 to 3.0.3. What version of Splunk are you running? Also, does anything look strange in savedsearches.conf (like extra characters)? ... View more

Make sure that the Splunk Windows Service is set to login as a XenApp farm administrator. After you run the rebuild zone farm lookup, there is nothing for you to save. What this does is simply build a CSV file that associates server names to farm names so when you run a search on performance, you can group by farm name since perfmon has no concept of farm. ... View more

FYI - there is a new app template for XenApp located here -> http://apps.splunk.com/app/1752/ To address the issues you see in the current app: For the farm details, you may need to rebuild your zone to farm lookup table. To do this, navigate to Reports -> Maintenance -> Rebuild Zone Farm Lookup. For the User Experience, you may be experiencing an issue where the Citrix servers have corrupt perfmon counters. After applying certain XenApp hotfixes, the ICA Performance counters can be inadvertently removed. To resolve this, type the following command at a command prompt on your XenApp server: regsvr32 c:\windows\system32\icaperf.dll Reference: http://support.citrix.com/article/CTX127151 ... View more

You have 2 options. Option 1 - use a Splunk 5.x Heavy Forwarder to connect to your IPS and forward the logs to your Splunk 6 instance. Option 2 - there is a potential workaround to get IPS working on Splunk 6 here -> http://answers.splunk.com/answers/105193/cisco-ips-error-errno-8?page=1&focusedAnswerId=135759#135759 ... View more

You can use the app mentioned by alacercogiltatus. Take note that the app only works for Splunk version 5 and below. So, if you have Splunk 6, this app will not work out of the box. You can use a Splunk 5.x Heavy Forwarder to get information from your IPS and then forward to a Splunk 6 indexer. Or, this thread has a potential workaround for you as well to use IPS with Splunk 6 -> http://answers.splunk.com/answers/105193/cisco-ips-error-errno-8?page=1&focusedAnswerId=135759#135759 ... View more

Can you post your props.conf file? The sample lines you posted should match the REGEX specified. There may be something in props.conf that can offer more clues. ... View more

You may need to modify the REGEX on the [force_sourcetype_for_cisco_*] stanzas in transforms.conf if your log files don't match correctly. I have seen this in one other instance where the log format coming from the devices wasn't quite the same as the transforms.conf stanza expected. ... View more

You can deliver ASA logs to either a Splunk index or a Splunk Universal Forwarder (which will then forward data to the Splunk index). Here is the command to configure your device: logging host <int> <ipaddr> tcp/514 The field is the interface that the syslog data will be sent out of. The field is the IP address of your syslog collector. If you configured a different TCP port from the standard 514, then use that in this command instead. Remember to commit the changes. Also, there are sample logs within the add-on located in the samples directory. ... View more

There is a Splunk app for Citrix XenApp 6.5, but it may not meet your exact use case http://apps.splunk.com/app/1752/. It sounds like you are looking for the Configuration Logging feature build into XenApp for the farm changes. ... View more

Do you get anything with the following search? sourcetype=Cisco:ISE:Syslog *auth* ... View more

Looks like my answer worked for pmovrich. Did you try the steps outlined? ... View more

You may need to force the sourcetype of your ASA logs. Here's how: Navigate to the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa directory. Create a new directory named local. Navigate into the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/default directory. Copy the props.conf configuration file and place it into the previously created $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local directory. Navigate into the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local directory. Open the props.conf configuration file. Remove the # (commented out markers) at the beginning of the below text in the props.conf file. #[source::udp:514] #TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm Save the props.conf configuration file. Restart the Splunk Service/Daemon. ... View more

Do you get results using the following search? eventtype=cisco-wsa* Also, did you copy the SA-cisco-wsa folder to $SPLUNK_HOME/etc/apps ? ... View more

Here is an example that is close to what you want. Look it over and let me know if you have questions. http://blogs.splunk.com/2014/01/29/add-a-tooltip-to-simple-xml-tables-with-bootstrap-and-a-custom-cell-renderer/ ... View more

What version of Splunk are you using? In Splunk 6, you can use a custom cell renderer, in Splunk 5, you need to do some more work with application.js and jQuery. ... View more

This error means that the setup handler could not create the stanza in inputs.conf via the REST API. You can take a look at splunkd.log for more information on why if failed. As a workaround, you can manually create the stanza in inputs.conf to pull your IPS logs. ... View more

A possible solution would be to use a scheduled saved search that ran every 30 minutes and saved the count to a summary index. Check out the collect command http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Collect Then, you can create a report or visualization based on the data in your summary index. ... View more