Hi all,
I have several network devices sending syslog events to Splunk to an index called "network". Some of the devices are ASA firewalls.
I have installed the Cisco Security Suite and the add-on for ASA (Splunk_TA_cisco-asa).
I cannot find where (and how) should I tell the add-on to search on my "network" index.
I've created a file called inputs.conf under /opt/splunk/etc/apps/Splunk_TA_cisco-asa/local
with the text index = network
, restarted splunk, but nothing is shown in the application.
If I search index = network
, I can see all my events, including the ASA ones.
Any tip/clue?
Thanks!!!
Hello,
I've installed the app and find from dashboard that some reports are using the eventtype "cisco-security-events" as per the following search query (I got it by clicking isnpect icon under any report from the dashboard):
search eventtype=cisco-security-events dest_ip!="255.255.255.255" dest_ip!="0.0.0.0" src_ip="*" | top src_ip
So you should assign eventtype to all the logs inside network index, application already created many event types as per the following url from web interface:
http://x.x.x.x:8000/en-US/manager/Splunk_CiscoSecuritySuite/saved/eventtypes
I located the files under /opt/splunk/etc/ that contains the eventtypes and found 2 files as per the following:
[root@node1]# cat /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite/default/eventtypes.conf
[cisco-security-events]
search = sourcetype="cisco:*"
[root@node1]# cat /opt/splunk/etc/apps/Splunk_TA_cisco-asa/default/eventtypes.conf
[cisco_authentication]
search = sourcetype="cisco:*" action="success" OR action="failure"
#tags = authentication
[cisco_connection]
search = sourcetype="cisco:*" (action="allowed" OR action="blocked" OR action="unknown" OR action="teardown")
#tags = network communicate
[cisco_intrusion]
search = (sourcetype="cisco:asa" OR sourcetype="cisco:pix") message_id="4000*"
#tags = attack ids
[cisco_malware]
search = sourcetype="cisco:asa" vendor_category="malware"
#tags = malware operations
[cisco_vpn]
search = sourcetype="cisco:*" (vendor_class="vpn" OR vendor_definition="*vpn*")
#tags = network vpn
[cisco_vpn_start]
search = sourcetype="cisco:*" (message_id=716001 OR message_id=722022 OR message_id=713119 OR message_is=713049)
#tags = start session
[cisco_vpn_end]
search = sourcetype="cisco:*" (message_id=716002 OR message_id=722023 OR message_id=113019)
#tags = end session
[cisco_asa_configuration_change]
search = sourcetype="cisco:asa*" (message_id=111010 OR change_class=*)
#tags = change
so you should edit the above 2 files with your sourcetype of the logs under network index, I'll assume that your sourcetype is "syslog" so you should edit the files as per the following:
search = sourcetype="cisco:*"
should be changed to search = sourcetype="syslog"
Then restart searchhead.
Regards,
Ahmed
Hello,
I've installed the app and find from dashboard that some reports are using the eventtype "cisco-security-events" as per the following search query (I got it by clicking isnpect icon under any report from the dashboard):
search eventtype=cisco-security-events dest_ip!="255.255.255.255" dest_ip!="0.0.0.0" src_ip="*" | top src_ip
So you should assign eventtype to all the logs inside network index, application already created many event types as per the following url from web interface:
http://x.x.x.x:8000/en-US/manager/Splunk_CiscoSecuritySuite/saved/eventtypes
I located the files under /opt/splunk/etc/ that contains the eventtypes and found 2 files as per the following:
[root@node1]# cat /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite/default/eventtypes.conf
[cisco-security-events]
search = sourcetype="cisco:*"
[root@node1]# cat /opt/splunk/etc/apps/Splunk_TA_cisco-asa/default/eventtypes.conf
[cisco_authentication]
search = sourcetype="cisco:*" action="success" OR action="failure"
#tags = authentication
[cisco_connection]
search = sourcetype="cisco:*" (action="allowed" OR action="blocked" OR action="unknown" OR action="teardown")
#tags = network communicate
[cisco_intrusion]
search = (sourcetype="cisco:asa" OR sourcetype="cisco:pix") message_id="4000*"
#tags = attack ids
[cisco_malware]
search = sourcetype="cisco:asa" vendor_category="malware"
#tags = malware operations
[cisco_vpn]
search = sourcetype="cisco:*" (vendor_class="vpn" OR vendor_definition="*vpn*")
#tags = network vpn
[cisco_vpn_start]
search = sourcetype="cisco:*" (message_id=716001 OR message_id=722022 OR message_id=713119 OR message_is=713049)
#tags = start session
[cisco_vpn_end]
search = sourcetype="cisco:*" (message_id=716002 OR message_id=722023 OR message_id=113019)
#tags = end session
[cisco_asa_configuration_change]
search = sourcetype="cisco:asa*" (message_id=111010 OR change_class=*)
#tags = change
so you should edit the above 2 files with your sourcetype of the logs under network index, I'll assume that your sourcetype is "syslog" so you should edit the files as per the following:
search = sourcetype="cisco:*"
should be changed to search = sourcetype="syslog"
Then restart searchhead.
Regards,
Ahmed
If I take a look at the events, the sourcetype says "cisco:asa".
I think the issue is with the index, not the sourcetype.
Where should I specify the index for the search? At the eventtype file? (I'm feeding an index called "network")
Strange .. I can't find any reference to index in the app, anyway we can make this workaround, under each eventtype replace search = sourcetype="cisco:asa*"
with search = index=network
then restart splunk.
I think this should work.
Regards,
Ahmed
I did something like that, just inserted "index=network" after search, so my eventtype is now:
search = index=network sourcetype="cisco:asa*"
And it's working now.
Great news !
Could you please accept the answer ..
Regards,
Ahmed