I've installed the Cisco Firewalls app. My colleague has pointed the firewall to the splunk server:port. There is no option to start the app and there appears to be no logging taking place. How do I get this working?
Doh windows firewall was the solution for us on why this wasnt working. I even installed MS Net mon and was seeing traffic on the interface.
Here are some troubleshooting tips:
-- Windows Firewall
Make sure that if you installed Splunk on a Windows box that the Windows firewall is not blocking UDP 514.
-- Firewall
Make sure that when you setup syslog that the destination ip address for the syslog traffic is the Splunk server
-- Restart Splunk
Make sure that you restart the Splunk processes/services when you install the Cisco Security Suite.
Installed the Cisco security suite, and it appears to be working. But I don't see my firewall anywhere. It could be that it simply is not generating traffic. (Set to logging level "Warnings") But shouldn't I at least be able to see my firewall listed somewhere?
Make sure that you install the Cisco Security Suite first.
http://splunk-base.splunk.com/apps/22300/cisco-security-suite
If you have already created the data input then just save the configuration page with the defaults.
Now you will need to restart Splunk from either the Manager or from the command line.
The Cisco for Firewall app needs the default dashboards that are shipped with the Cisco Security Suite.
Yes. (message padding)
Do you have setup an data input for syslog (udp(514)?