Set up Splunk for Cisco Firewalls

From Splunk Wiki

Jump to: navigation, search

Use the Splunk for Cisco Firewalls add-on to consume, analyze, and report on data for Cisco ASA, PIX, and FWSM firewalls.

Splunk for Cisco Firewalls is designed to work in conjunction with the Splunk Cisco Security Suite app. Install these products together to access reports and dashboards that give you visual insight into the performance and effectiveness of your Cisco firewall implementations.

When you first download the Splunk for Cisco Firewalls add-on, you'll decompress the file and place the resulting folder into either %PROGRAMFILES%\Splunk\etc\apps (if you use Windows) or $SPLUNK_HOME/etc/apps (if you use Unix/Linux). Then restart Splunk via the CLI (using the splunk restart command) or the GUI.

After you restart your Splunk instance you can select the Splunk for Cisco Firewalls add-on from the Home page. This will bring you to the Setup page for the add-on. See "Getting data into the add-on," below for more information about this page.

When you first enter the Cisco Security Suite, it will give you an opportunity to enable or disable the Splunk for Cisco Firewalls add-on. Keep in mind that if you disable Splunk for Cisco Firewalls here, you will not receive data from it when you use the Cisco Security Suite.

Get data into the add-on

To use the Splunk for Cisco Firewalls add-on, you'll first want to get it configured to listen to UDP or TCP log traffic from your Cisco firewall devices. You can do this through the UI with a setup screen, or you can set up the input manually through configuration files.

Use the input setup screen

You can set up inputs through the Setup screen for Splunk for Cisco Firewalls. There are two ways you can access this setup screen:

  • When you first install the Splunk for Cisco Firewalls add-on, the add-on will be listed on the Splunk Home page. Click the Setup button that appears on this listing to access the Splunk for Cisco Firewalls Setup page.
  • At any time afterwards you can access this setup page by navigating to Manager > Apps and then clicking the Set up link for the Splunk for Cisco Firewalls add-on.

On the setup page--titled "Configure Splunk for Cisco Firewalls (PIX, FWSM, ASA)"--you can enter the appropriate TCP or UDP network port for your Cisco firewall device.

Cisco firewalls setup page.png

Note: If the network port configuration(s) for your firewall device already exist, there's no need to specify them on this page. However, you may want to configure your Cisco firewall devices to send Cisco firewall data to a port configuration that isn't already being used by Splunk.

Manually configure inputs

Here's how you manually configure inputs for Splunk for Cisco Firewall:

1. Open the inputs.conf file in the Splunk for Cisco Firewall local</local> folder (located at $SPLUNK_HOME/etc/apps/Splunk_CiscoFirewalls/local). If you do not find an inputs.conf file there, create one.

2. Modify the inputs.conf file to include a stanza for each TCP or UDP network port listening on firewall data. For example:

[udp://514]
disabled = false

Do not specify a source type. The Splunk for Cisco Firewalls add-on automatically assigns source types for your Cisco ASA, FWSM, and PIX firewall events as cisco_asa, cisco_fwsm, and cisco_pix, accordingly.

3. Save the changes you make to the inputs.conf file.

4. You need to restart Splunk for the scripted input to take effect.

For detailed information on TCP and UDP input setup for Splunk, see "Get data from TCP and UDP ports" in the Getting Data In Manual.

Find your Cisco firewall data in Splunk

If your TCP and UDP inputs have been set up correctly, you should be able to search on your firewall events by their source type value: cisco_asa, cisco_fwsm, and cisco_pix.

Splunk also applies the event type cisco_firewall to all firewall events; it is used by most of the reports in this add-on. You can search on eventttype=cisco_firewall to quickly find your firewall events in aggregate.

Rename a source type for the add-on

If you have previously indexed Cisco firewall data and would like to preserve the current source type for reporting purposes, you can rename the source type.

For example, to rename the cisco_pix source type, go to the local directory of the app ($SPLUNK_HOME/etc/apps/Splunk_CiscoFirewalls/local), open up props.conf and add the following entry.

[cisco_pix]
rename=<your_current_firewall_source_type>

Now a search on your_current_firewall_source_type will bring up all the cisco_pix events as well as any events that had a your_current_firewall_source_type source type from the start.

You use sourcetype renaming here because this method allows you to use another sourcetype name while preserving the original cisco_asa, cisco_fwsm, and cisco_pix sourcetype values. The Splunk for Cisco Firewalls add-on relies on these source types to successfully perform its field extractions and corrrectly run the real time and overview dashboards in the Cisco Security Suite.

For more information about source type renaming, see "Rename source types" in the Getting Data In Manual.

Configure the add-on

Here's some information about configuring the Splunk for Cisco Firewalls add-on.

Manage summary indexing for Splunk for Cisco Firewalls

Splunk for Cisco Firewalls includes a scheduled search that is designed to add to a summary index every 6 hours. See the following subsection for information about changing the search interval.

Customers with an Enterprise license can use this summary index feature, but it must be enabled. To enable summary indexing for your Splunk for Cisco Firewalls dashboards, create the following stanza in $SPLUNK_HOME/etc/apps/Splunk_CiscoFirewalls/local/macros.conf:

[cisco_firewall]
definition = index=summary marker=cisco_firewall

If you need to change the schedule of this search, navigate to Manager > Searches and Reports and click through to the detail page for the "Cisco Firewall - DataCube - Summary Index" search.

For background information about summary indexing, see "Use summary indexing for increased reporting efficiency" in the Knowledge Manager Manual.

Change the default schedule for scheduled searches

Splunk for Cisco Firewalls ships with two searches that run on a schedule (if you have a Splunk Enterprise license).

  • Cisco Firewall - DataCube - Summary Index is a search that runs every six hours. Each time it runs, it sends its results to a summary index.
  • Cisco Firewall - Datacube is a search that runs every three hours against the summary index. Splunk uses the results of the most recent Cisco Firewall - Datacube search job to populate certain Cisco Firewall dashboard panels when they are loaded.

To change these schedules, navigate to Manager > Searches and reports and click the name of the search you want to update to open its detail page. On the update page, you can change the interval schedule for the search.

For more information about defining search schedule intervals, see the subsection on search scheduling in "Create an alert" in the User Manual.

Disable the old Cisco ASA and PIX Firewall Add-on

If you're running the old Cisco ASA and PIX Firewall Add-on, you need to disable it for Splunk for Cisco Firewalls to work correctly. A checkbox should appear on the setup page that enables you to do this. If you've made any configuration changes in the Local folder for this outmoded add-on ($SPLUNK_HOME/etc/apps/cisco_firewall_addon/local) you'll need to migrate them to the local folder for the new Splunk for Cisco Firewalls add-on.

Troubleshoot your Splunk for Cisco Firewalls install

  • No Cisco Firewalls data is present in your Cisco Security Suite reports and dashboards. First, make sure that you've downloaded and installed Splunk for Cisco Firewalls correctly. Keep in mind that you have to have the add-on enabled on the Cisco Security Suite app setup page (navigate to Manager > Apps and click Set up for the Cisco Security Suite app).
If that doesn't seem to be the problem, check to make sure that you have ports configured for your Cisco firewall devices. Ensure that the firewall devices are sending information to the port you think they are, and then take a look at inputs.conf in $SPLUNK_HOME/etc/apps/Splunk_CiscoFirewalls/local to see if the TCP or UDP inputs that you've set up there are correct.

Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk