All Apps and Add-ons

Cisco Security Suite App and Cisco ASA configuration in a distributed deployment

huck82
Engager

I'm currently installing the Cisco Security Suite App in a distributed deployment of Splunk. I installed the Cisco Security Suite app on my search head along with the required Splunk Add-on for Cisco ASA mentioned here >> http://docs.splunk.com/Documentation/AddOns/released/CiscoASA/Distributeddeployment#Install_on_the_S...

I also installed the Splunk Add-On for Cisco ASA on my indexer and created a custom index for the incoming data. I'm indexing Cisco data fine and can search it from the search head and the indexer. The only issue I'm having is that the dashboards in the Cisco Security Suite app work on the indexer, but not the search head. To get them to work on the search head I had to create an index on the search head and point it to the custom index on the indexer. That works, but I want to make sure that is correct. I want to make sure that I'm not double indexing data or causing double rolling of data between buckets having the index defined on two Splunk instances. According to the above URL it seems that the index has to be defined on the search head as well as the indexer as mentioned here >> "Important: The Add-on does not include an indexes.conf by default. If a new index was added to store the data referenced by this Add-on, Splunk recommends updating the common indexes.conf used on the search head to add a new index name. The index must be added to the search head for type-ahead functionality and to set Role access." Has anyone else run into this?

jconger
Splunk Employee
Splunk Employee

All of the searches for ASA start out with eventtype=cisco-firewall. By default, the cisco-firewall eventtype is defined as follows:

[cisco-firewall]
search = (sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm")

This assumes that the sourcetypes are in an index that is searched by default. So, you have 2 options:

  1. Make your custom index searchable by default.
  2. Modify eventtypes.conf to read as follows:

    [cisco-firewall]
    search = index=your_index (sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm")

pil321
Communicator

Thanks jconger. I was having the same issue and this worked like a charm!

0 Karma

bworrellZP
Communicator

How does this work if your indexer and search head are two different devices?

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Hi, I believe that app mainly uses sourcetypes, so I would think that indexes searched by default is probably the setting that needs attention.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...