I have installed Cisco security suite and the Cisco firewall add on
Configured my firewall to send syslog event to splunk
configured splunk to listen on upd port 514 and setup to iocming data go to to an index called firewall with sourcetype setup as cisco_asa via input.conf file defined under the local dir of the firewall apps.
[udp://x.x.x.x:514]
disabled = false
sourcetype = cisco_asa
index = firewall
Slpunk is definitely collecting firewall logs. If I search index=firewall, I can see all data. It also shows me 4 eventtypes, one being cisco_firewall.
However, if I search eventtype=cisco_firewall, or sourcetype=cisco_asa nothing comes up, 0 result found.
No wonder that dashboard is empty.
Any idea, what I might be doing wrong?
If you have not given the user account access to search the firewall index by default, and the firewall index is not literally called out in the search string... you will not get any results back. You may also find that the dashboard relies on saved searches and summary indexes which may not have yet populated.
I have tried to remove sourcetype = cisco_asa from inputs.conf file (as mentioned in the apps wiki pages that we really don't need to define a sourcetype, it automatically detects %ASA and assigns cisco_firewall eventtype) and it does now show up only one eventtype when I search index=firewall, which is cisco_firewall and is correct.
However, search with eventtype=cisco_firewall still returns 0 result and hence the empty dashboard in apps.
I have no clue
If you have not given the user account access to search the firewall index by default, and the firewall index is not literally called out in the search string... you will not get any results back. You may also find that the dashboard relies on saved searches and summary indexes which may not have yet populated.
yes, it worked!
Thank you.
Settings>Access Controls>Roles>Admin>Indexes Searched by Default - Add "All non-internal indexes
Does that help?
I am trying this as the admin account.
What I have noticed that if I use index=firewall and eventype=cisco_firewall it returns the correct output. However, all the dashboard built in into the apps uses eventype as the search criteria.