All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Unable to see Cisco firewall events in Cisco Security Suite

crbrown68
New Member
‎09-06-2016 09:33 PM

I am trialing Splunk 6.4.2 on a single instance Centos 7 server and am having some issues with viewing any events in the "firewall event search" view. Investigation has found that I do not have any data with eventtype=cisco-firewall that is required for these views. I have checked the Cisco ASA add-on and that is populating plenty of data with sourcetype=cisco:asa, however none of it is being marked as the correct event type. I have checked the Security Suite eventtype.conf file and that appears to be correct. Is it possible that it is conflicting with another app/add-on?

For data with sourcetype=cisco:asa I have the following event types:
cisco_connection
cisco_vpn
cisco_authentication
cisco_vpn_end
cisco_vpn_start

In addition to Cisco Security Suite I am running:
Cisco AnyConnect NVM
Cisco Networks add-on
Cisco Networks App
Cisco Add-on for ASA
Cisco Add-on for ESA
Cisco Add-on for ISE
Cisco App for ISE

Any assistance would be greatly appreciated

0 Karma
Reply

crbrown68
New Member
‎09-07-2016 07:13 AM

Hi Bwooden,
Thanks for the reply and assistance. To answer your questions, I am running the latest versions of all software, so CSS 3.1.2 and ASA add-on 3.2.6.
Since posting the question I have however been able to resolve the issue. It turns out the problem was with the syslog data being sent from the ASA. The ASA was configured to only send logs of severity level "warning" or above (logging trap warning). After changing it to "logging trap debugging" I am now receiving data with eventtype=cisco-firewall and the dashboard views are being populated. I haven't tried it yet, but possibly an ASA severity logging level of "informational" may also populate the data.

0 Karma
Reply

bwooden
Splunk Employee
Splunk Employee
‎09-07-2016 09:54 AM

Great! Thank you for the update.

0 Karma
Reply

bwooden
Splunk Employee
Splunk Employee
‎09-07-2016 04:50 AM

Hi crbrown68. A bit more information may help troubleshoot this issue.

1) What version of Cisco Security Suite you're presently using?
2) What version of the ASA Add-on are you presently using?

3) What is the output of this command in your Splunk environment?

$SPLUNK_HOME/bin/splunk btool --debug eventtypes list cisco-firewall
0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...