- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How do I remove the Cisco Firewall App?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I remove the Cisco Firewall App?
Disabling it does not remove menus from 'Splunk for Cisco Security'
The splunk remove app command says app does not exist.
[root@hostname apps]# ll
total 92
drwx--x--x 8 root root 4096 Jul 15 17:14 amMap
drwx------ 2 root root 4096 Aug 6 14:36 default
drwxr-xr-x 2 root root 4096 Aug 6 16:15 ******
drwxr-xr-x 6 splunk splunk 4096 Jul 11 13:51 gettingstarted
drwxr-xr-x 7 splunk splunk 4096 Jul 15 17:53 launcher
drwxr-xr-x 5 splunk splunk 4096 Jul 11 13:53 learned
drwxr-xr-x 3 splunk splunk 4096 Jul 11 13:51 legacy
drwx--x--x 8 root root 4096 Aug 8 14:52 maps
drwx------ 5 root root 4096 Jul 15 17:14 MAXMIND
drwxr-xr-x 6 splunk splunk 4096 Jul 11 13:51 sample_app
drwxr-xr-x 8 splunk splunk 4096 Jul 11 13:51 search
drwx--x--x 9 root root 4096 Aug 6 14:37 sideview_utils
drwx--x--x 8 root root 4096 Jul 16 15:30 Splunk_CiscoFirewalls
drwx------ 9 root root 4096 Jul 15 17:12 Splunk_CiscoIPS
drwx--x--x 7 root root 4096 Aug 14 17:42 Splunk_CiscoSecuritySuite
drwxr-xr-x 4 splunk splunk 4096 Jul 11 13:51 splunk_datapreview
drwx------ 7 root root 4096 Jul 15 18:04 splunk_deployment_monitor
drwx--x--x 6 root root 4096 Jul 15 17:12 Splunk_for_CiscoASA
drwxr-xr-x 4 splunk splunk 4096 Jul 11 13:51 SplunkForwarder
drwxr-xr-x 4 splunk splunk 4096 Jul 11 13:51 SplunkLightForwarder
drwx--x--x 6 root root 4096 Aug 8 14:51 TA-cisco_ios
drwxr-xr-x 4 splunk splunk 4096 Jul 11 13:51 user-prefs
drwx------ 9 root root 4096 Jul 15 18:04 windows
[root@ams-coms-btnm-04 apps]# splunk remove app /opt/splunk/etc/apps/Splunk_CiscoFirewalls
Application does not exist: /opt/splunk/etc/apps/Splunk_CiscoFirewalls
[root@hostname apps]# ll Splunk_CiscoFirewalls
total 72
drwx--x--x 3 root root 4096 Jul 15 17:13 appserver
drwx--x--x 2 root root 4096 Jul 16 15:30 default
drwx--x--x 2 root root 4096 Jul 15 17:13 default.old.20130716-153026
-r-------- 1 root root 19031 Jul 16 15:30 license-eula.rtf
-r-------- 1 root root 18526 Jul 16 15:30 license-eula.txt
drwx--x--x 2 root root 4096 Aug 8 14:46 local
drwx--x--x 2 root root 4096 Jul 15 17:13 lookups
drwx--x--x 2 root root 4096 Aug 8 14:46 metadata
-r-------- 1 root root 5890 Jul 16 15:30 README.txt
[root@hostname]#
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Matthew,
How did you get on here?
Like @linu1988 said, the Splunk_CiscoFirewalls app is essentially a Technology Adapter (TA) that parses inbound syslog data from Cisco firewalls. In doing so it overrides the sourcetype of the data and performs field extractions that allow the Cisco Security Suite app to populate it's dashboards.
By disabling/deleting the Splunk_CiscoFirewalls app, you should no longer see the saved searches, field extractions, etc.
Cheers 🙂
RT
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My apologies for the comment before, actually cisco firewall is an add-on more than a app.
The Cisco_firewall is a saved search shared across which i found out now after i installed it. If you don't want the reports/views you can go to the CiscoSecuritySuite app and remove the views from the NAV files. Let me know if have any trouble , will happily help you out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi thanks
I removed the app as suggested
rm -rf Splunk_CiscoFirewalls
splunk restart
I still have the firewall reports in the Splunk for security app
I still get the error " Error in 'SearchParser': Could not find macro 'cisco_firewall' that takes 0 arguments. Expecting stanza name 'cisco_firewall'. " and when I search for the missing macro... I can see lots of reference to it, but no actual macro
grep -r cisco_firewall ./*
./etc/apps/Splunk_CiscoSecuritySuite/default/savedsearches.conf:search = cisco_firewall
Im not sure if this macro was part of the app I deleted or not? Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Answer to question 1 , i am sure the conf files of the app always stays with that app unless you move it. even if they are integrated with other app it's no problem as you may not find the views/data to work with.
Second question am not sure why it didn't work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, a blut approach, but usualy reliable. Two more questions...
1)With the Cisco ASA app, there are no transform, props or inputs defined in the app directory. Does this suggest they are integrated with the main conf files? If so how can you remove that app... not with the rm -rf command...
2) why does the 'splunk remove app /opt/splunk/etc/apps/Splunk_CiscoFirewalls' not work
many thanks
Mathew
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
delete the app from the folder and restart the instance.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
