All Apps and Add-ons

I've installed the Splunk Add-on for Cisco ESA on my search head, but do I need to install it on my indexers as well?

sassens1
Path Finder

Hello,

I've installed the TA on my search head only (Distributed deployment).
I send ESA textmail and http logs over TCP syslog and my heavy forwarder inputs.conf is configured as this:

[tcp://514]
connection_host = dns
index = securityidx
source = maillog
sourcetype = ironport
queueSize = 10MB

I modified the TA local/props.conf on my search head :

######## TextMail Log Extractions ########
[ironport]  #instead of [source::...xx]
sourcetype = cisco:esa:textmail

I can see logs coming in with the sourcetype "ironport", but it is not overridden.

What am I doing wrong?
Do I need to install the TA on my indexers as well?

Thanks

0 Karma
1 Solution

bwooden
Splunk Employee
Splunk Employee

rpille is right about which Splunk instances the TA should reside.

Yet the props you've defined on the search head is an input phase configuration. Since the search head is not involved in the input, that configuration is ignored. The source type update via props.conf needs to take place on the heavy forwarder and be scoped to a source because parsing phase configurations with a sourcetype setting must be scoped to a source.

[source::tcp:514] 
sourcetype = cisco:esa:textmail

This extra props may be skipped by updating the local inputs.conf on the heavy forwarder (to set source type further upstream)

[tcp://514]
sourcetype = cisco:esa:textmail

View solution in original post

0 Karma

ferozkhanpeermo
New Member

The Splunk Cisco-esa TA needs to be installed in you HWF, all indexers and the SH's. If you have a dedicated SH for Splunk Enterprise Security module, the TA needs to be installed there also.

0 Karma

bwooden
Splunk Employee
Splunk Employee

rpille is right about which Splunk instances the TA should reside.

Yet the props you've defined on the search head is an input phase configuration. Since the search head is not involved in the input, that configuration is ignored. The source type update via props.conf needs to take place on the heavy forwarder and be scoped to a source because parsing phase configurations with a sourcetype setting must be scoped to a source.

[source::tcp:514] 
sourcetype = cisco:esa:textmail

This extra props may be skipped by updating the local inputs.conf on the heavy forwarder (to set source type further upstream)

[tcp://514]
sourcetype = cisco:esa:textmail
0 Karma

sassens1
Path Finder

thank you all for your explanation but it does not work at all.
So far I've installed the TA on my heavy forwarder and my search head with the same local/props.conf configuration:

 [ironport]
 rename = cisco:esa:textmail

and the logs are still coming with the sourcetype=ironport

how can I troubleshoot this? Do I also need to install the TA on my indexer ??

0 Karma

bwooden
Splunk Employee
Splunk Employee

That is a search time configuration. It allows knowledge objects to work for both source types.
To have the source type identified correctly for new data as it is indexed, you will need to set the source type correctly on the first machine that does parsing.

0 Karma

bwooden
Splunk Employee
Splunk Employee

My answer above is for indexing the data with correct source type (cisco:asa:textmail). If you're trying to rename ironport during search time operations (for data already indexed as ironport) you may update your props.conf on the search head with this configuration.

[ironport]
rename = cisco:esa:textmail
0 Karma

rpille_splunk
Splunk Employee
Splunk Employee

You need to install the add-on on your data collection node as well.

This table can be a bit confusing, but the comments column should help make clear that the add-on should be installed where you are collecting data, whatever node of your deployment that might be. http://docs.splunk.com/Documentation/AddOns/released/CiscoESA/Distributeddeployment Only if you do not use a heavy forwarder for data collection do you also need to install this add-on on your indexers, but you should be fine without it there in your case.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...