Splunk for Cisco Firewalls (http://apps.splunk.com/app/527) is compatible with Splunk for Enterprise Security.
In the past we had to associate the TA with the ES App so the following may be relevant to this TA. If adding the TA vanilla does not render the events, keep in mind that there is model by which a certain TSIDX is populated by specific apps, based on the TA model. To ensure this TA works with ES you will have to do the following:
Provide the appropriate eventtype
Associate a tag to the eventtype
Share the TA’s content to the Network Protection Domain App.
Here is how to do that:
Provide the appropriate eventtype
Write the following stanza to the file $SPLUNK_HOME/etc/apps/Splunk_CiscoFirewalls/local/eventtypes.conf
[cisco_firewall_communicate]
search = sourcetype="cisco_firewall" action="*"
#tags = communicate
Associate a tag to the eventtype
Write the following stanza to the file $SPLUNK_HOME/etc/apps/Splunk_CiscoFirewalls/local/tags.conf
[eventtype=cisco_firewall_communicate]
communicate = enabled
Share the TA’s content to the Network Protection Domain App.
Add Splunk_CiscoFirewalls into $SPLUNK_HOME/etc/apps/SA-NetworkProtection/metadata/local.meta in SA-NetworkProtection, somewhere among other TAs:
[]
access = read : [ * ], write : [ admin ]
export = system
version = 5.0.3
modtime = 1364401044.633878000
import = DA-ESS-AccessProtection, DA-ESS-EndpointProtection, DA-ESS-IdentityManagement, DA-ESS-NetworkProtection, SA-AccessProtection, SA-AuditAndDataProtection, SA-CommonInformationModel, SA-EndpointProtection, SA-Eventgen, SA-IdentityManagement, SA-NetworkProtection, SA-ThreatIntelligence, SA-Utils, sideview_utils, Splunk_TA_nix, Splunk_TA_windows, SplunkEnterpriseSecuritySuite, TA-airdefense, TA-alcatel, TA-bluecoat, TA-cef, TA-checkpoint, TA-fireeye, TA-flowd, TA-fortinet, TA-ftp, TA-ip2location, TA-juniper, TA-mcafee, TA-ncircle, TA-nessus, TA-nmap, TA-oracle, TA-ossec, TA-paloalto, TA-rsa, TA-sav, TA-sep, TA-snort, TA-sophos, TA-splunk, TA-tippingpoint, TA-trendmicro, TA-websense, search, Splunk_CiscoFirewalls
--
After this there is a bit of housekeeping. We need to add a local override to SplunkEnterpriseSecuritySuite/default/inputs.conf . There is a modular input which automatically adds the import to all appropriate apps. Simply apply the local override and restart.
Here is the default configuration:
## Update the meta-data
[app_imports_update://update_es]
app_regex = (TA-.*)|(Splunk_TA_.*)|(sideview_utils)|(SplunkEnterpriseSecuritySuite)|(DA-.*)|(SA-.*)
apps_to_update = SA-AccessProtection,SA-CommonInformationModel,SA-AuditAndDataProtection,SA-EndpointProtection,SA-IdentityManagement,SA-NetworkProtection,SA-ThreatIntelligence,SA-Utils,SA-Eventgen
disabled = 1
Here would be the local override:
## SplunkEnterpriseSecuritySuite/local/inputs.conf
[app_imports_update://update_es]
app_regex = (TA-.*)|(Splunk_TA_.*)|(sideview_utils)|(SplunkEnterpriseSecuritySuite)|(DA-.*)|(SA-.*)|(Splunk_CiscoFirewalls)
... View more