Splunk 6 - Cisco Security Suite 3.0 App config fil...

tier2ops · ‎03-06-2014

Are there default configuration files that you can share so that the data gets populated in the default reports/dashboard tiles once we inject cisco ASA/PIX/FWSM/IPS/ironport(web) data?

I need info on how to configure the files listed below so that the various firewall/ironport(web)dashboards & report data for the cisco security app get populated.

[root@splunk default]# ls -ltr
total 44
-rw-------. 1 root root 44 Jan 16 13:40 transforms.conf
-rw-------. 1 root root 18310 Jan 16 13:40 savedsearches.conf
-rw-------. 1 root root 59 Jan 16 13:40 props.conf
-r--------. 1 root root 0 Jan 16 13:40 eventtypes.conf
drwx--x--x. 3 root root 4096 Jan 16 13:40 data
-r--------. 1 root root 315 Jan 16 13:40 viewstates.conf
-r--------. 1 root root 61 Jan 16 13:40 macros.conf
-rw-------. 1 root root 546 Jan 16 13:40 app.conf

jconger · ‎03-27-2014

In order for WSA to work with the Cisco Security Suite, you need to copy the TA-cisco-wsa and SA-cisco-wsa directories to $SPLUNK_HOME/etc/apps. Your directory structure should look like this when finished:

$SPLUNK_HOME/etc/apps/SA-cisco-wsa
$SPLUNK_HOME/etc/apps/Splunk_CiscoSecuritySuite
$SPLUNK_HOME/etc/apps/TA-cisco-wsa

The TA-cisco-wsa and SA-cisco-wsa directories are located in Splunk_CiscoSecuritySuite/appserver/addons

Splunk 6 - Cisco Security Suite 3.0 App config files needed

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases