All Apps and Add-ons

Cisco Security Suite/Splunk for Cisco Firewalls

Mythric
New Member

I'm having some trouble with Cisco Security suite and the associated firewalls addons for Splunk.

Cisco Security Suite
First of all, how does the dashboard define a 'security event' (e.g. Cisco Security Events by Top 10 Destination IP)? In the overview panel the heatmap and pie charts work, however the "Cisco Security Events" pane does not display anything.

Splunk for Cisco Firewalls
I have it set so the source type for the firewall logs is 'cisco_fwsm', however none of the panels in the firewall overview page show any results, instead returning a no results found message.

Any help resolving this would be appreciated.

0 Karma

sdaniels
Splunk Employee
Splunk Employee

First thing I would check is to make sure you only have the Cisco Security Suite and Splunk for Cisco Firewalls installed. If you have tried other apps like the TA for Cisco ASA, Cisco ASA and FWSM Field Extractions etc., I would suggest deleting them from the apps directory. They can cause issues with field extractions and searches.

1) Sourcetype should be automatically forced to “cisco_asa”, if not see step 3 for possible resolution.

a. To verify just run the below search, and verify that cisco_asa is correctly set as the sourcetype:
i. %ASA | dedup sourcetype | table sourcetype
b. Sometimes you might have to change the sourcetype for the UDP data to “syslog” for the Cisco Security App to recognize it.

2) Go through the setup page per App and save them. Restart Splunk.

3) If the additional sourcetype (cisco_asa) is not being created then the force transform REGEX is not working correctly. Here are the steps to fix this:
a. Edit the transforms.conf file in the Splunk_CiscoFirewalls App. ($SPLUNK_HOME/etc/apps/Splunk_CiscoFirewalls/default/transforms.conf)

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
##REGEX = %ASA-\d+-\d+
REGEX = %ASA--\d+-\d+
FORMAT = sourcetype::cisco_asa

The default REGEX is incorrect (ie has -- instead of -). Just comment out the incorrect REGEX and uncomment the correct REGEX:

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = %ASA-\d+-\d+
#REGEX = %ASA--\d+-\d+
FORMAT = sourcetype::cisco_asa

jfrench539
Engager

Editing the transforms.conf file worked for me, so thank you! I knew I had data coming in from the asa, but had no idea why I couldn't get anything to show up in the Security Suite and this helped as I now have some data coming in and I can now work from here, so thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...