All Apps and Add-ons

Cisco Security Suite not working - showing blank dashboards

rb51
Explorer

hi all,

-------- splunk version: 6.1.4 - build:233537 ----------

-------- cisco security suite App Version: 3.0.3 build:100784 ---------

-------- splunk Add-on for Cisco ASA version 3.1.0 ---------

New to Splunk and struggling to get the Cisco Security Suite to log/show events for our ASA kit. Basically I inherited a "test/live" system without documentation and with a VM not working for quite some time.

Recently the Splunk system has been migrated from a VM WIn 2008 R2 to a physical Win 2008 R2 machine and the IP address has been kept the same.

If I go to DATA SUMMARY, I can see data logged up until when I believe the VM was filled up and stopped working.

I have seen couple of threads and it seems that the problem was resolved by editing the props.conf file....

I would appreciate if someone could provide some assistance on where to start troubleshooting this issue.

This is the first 15 lines of file props.conf on path $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local (note that none of the entries are commented on the file)....

sourcetype identification

[source::tcp:514]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm

[source::udp:514]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm

[syslog]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm

########## ASA
0 Karma
1 Solution

jconger
Splunk Employee
Splunk Employee

Is the data from your ASA getting indexed? Try this search to find out:

index=* sourcetype=cisco*

Also, make sure you copied the Cisco ASA supporting add-on (ASA dashboards for the Cisco Security Suite) from:

$SPLUNK_HOME/etc/apps/Splunk_CiscoSecuritySuite/appserver/addons/SA-cisco-asa

to:

$SPLUNK_HOME/etc/apps/SA-cisco-asa

You can check your _internal index as well for any issues. Use this search to check _internal:

index=_internal

View solution in original post

0 Karma

rb51
Explorer

well...as I had mentioned, totally new to SPlunk.

I think either (a) UDP Data Input was not configured on the original VM hosting Splunk or (b) during migration the setting has not migrated.

I have created a new listener and it is now pulling data from the ASA.

By the way, I left it to pull data into main index....Is this okay or should I create a new "dedicated" index for ASA?

Once again thank you for your assistance throughout.

0 Karma

jconger
Splunk Employee
Splunk Employee

Is the data from your ASA getting indexed? Try this search to find out:

index=* sourcetype=cisco*

Also, make sure you copied the Cisco ASA supporting add-on (ASA dashboards for the Cisco Security Suite) from:

$SPLUNK_HOME/etc/apps/Splunk_CiscoSecuritySuite/appserver/addons/SA-cisco-asa

to:

$SPLUNK_HOME/etc/apps/SA-cisco-asa

You can check your _internal index as well for any issues. Use this search to check _internal:

index=_internal
0 Karma

rb51
Explorer

hi and thank you for taking your time to reply

index=* sourcetype=cisco*

produces results up until June14 when I believe the VM was still working. Then nothing else.

SA-cisco-asa directory

I have not seen any documentation advising copying to/from (where did you get the info from??)

index=_internal

produces loads of results with today's timestamp, etc

Really struggling to understand ins and outs of Splunk to be fairly honest....

0 Karma

jconger
Splunk Employee
Splunk Employee

Are you sending your ASA data directly to Splunk or to another system first?

Look at the host field in your _internal index. Does your ASA (or other system receiving ASA syslog if you are using that method) show up there?

The part about copying the SA-cisco-asa directory is documented here -> https://apps.splunk.com/app/525/#/documentation

0 Karma

rb51
Explorer

Thank you for being so helpful

We are sending ASA data direct to Splunk;
Sorry for the noob question but cannot find the "host field" on _internal index;
My mistake, as I had already copied the SA-Cisco-asa dir when installing the App

Still no signs of data coming through....

0 Karma

jconger
Splunk Employee
Splunk Employee

When you perform the "index=_internal" search, you will see a list of interesting fields on the left hand side of the screen. One of those will be "host". You can click on that field to see the values. Alternatively, you can run the following searc:

index=_internal | stats count by host

I would run these searches over the past 24 hours.

If you do not see any data coming from your ASA, then the cause is most likely one of the following:

  1. Splunk is not set up to receive data.
  2. Misconfiguration on the ASA.
  3. A firewall blocking rule somewhere.

To check if Splunk is set up to receive data, click "settings" in the top right menu bar in Splunk. Then, select "Data inputs". Next, click either "TCP" or "UDP" depending on how your ASA is set up to deliver the data over the network. If nothing shows up, then Splunk is not listening. You can create a new listener by clicking the "New" button.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...