All Apps and Add-ons

cisco firewall add on data in index but no data in dashboard

ashabc
Contributor

I have installed Cisco security suite and the Cisco firewall add on

Configured my firewall to send syslog event to splunk

configured splunk to listen on upd port 514 and setup to iocming data go to to an index called firewall with sourcetype setup as cisco_asa via input.conf file defined under the local dir of the firewall apps.

[udp://x.x.x.x:514]
disabled = false
sourcetype = cisco_asa
index = firewall

Slpunk is definitely collecting firewall logs. If I search index=firewall, I can see all data. It also shows me 4 eventtypes, one being cisco_firewall.

However, if I search eventtype=cisco_firewall, or sourcetype=cisco_asa nothing comes up, 0 result found.

No wonder that dashboard is empty.

Any idea, what I might be doing wrong?

1 Solution

ShaneNewman
Motivator

If you have not given the user account access to search the firewall index by default, and the firewall index is not literally called out in the search string... you will not get any results back. You may also find that the dashboard relies on saved searches and summary indexes which may not have yet populated.

View solution in original post

ashabc
Contributor

I have tried to remove sourcetype = cisco_asa from inputs.conf file (as mentioned in the apps wiki pages that we really don't need to define a sourcetype, it automatically detects %ASA and assigns cisco_firewall eventtype) and it does now show up only one eventtype when I search index=firewall, which is cisco_firewall and is correct.

However, search with eventtype=cisco_firewall still returns 0 result and hence the empty dashboard in apps.

I have no clue

0 Karma

ShaneNewman
Motivator

If you have not given the user account access to search the firewall index by default, and the firewall index is not literally called out in the search string... you will not get any results back. You may also find that the dashboard relies on saved searches and summary indexes which may not have yet populated.

ashabc
Contributor

yes, it worked!
Thank you.

0 Karma

ShaneNewman
Motivator

Settings>Access Controls>Roles>Admin>Indexes Searched by Default - Add "All non-internal indexes

Does that help?

0 Karma

ashabc
Contributor

I am trying this as the admin account.
What I have noticed that if I use index=firewall and eventype=cisco_firewall it returns the correct output. However, all the dashboard built in into the apps uses eventype as the search criteria.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...