Introducing the Cisco Security Suite for Splunk 6

I know.  I normally blog about Microsoft stuff.  Recently, however, I’ve been helping out on another project – updating the Cisco Security Suite to be compatible with Splunk 6.  The Cisco Security Suite is the most downloaded app on Splunkbase behind the *Nix and Windows apps and exposes Cisco specific information about your Cisco specific security devices.

We had many aims for this project, aside from just upgrading everything to work with Splunk 6.  We wanted it to use the Technology Add-ons that you may already have from a deployment of Enterprise Security.  If you were considering an upgrade to Enterprise Security in the future (and you should – it’s awesome), then we wanted the data you have already collected to seamlessly integrate with that product.  We also wanted to let you explore the data on your own with data models provided by the Common Information Model app.  Finally, but by no means the least of it, we wanted to work with Cisco to ensure we were advising on the best practices for data collection and that we were supporting all the latest versions of the software that you may have installed.

That’s a tall order, and one release will not be enough to get it done.  However, the Cisco Security Suite v3.0, which is available now on Splunkbase, handles that task for your Cisco ASA, PIX and FWSM firewalls plus your Cisco WSA web proxy appliances.   You will need a couple of additional components from Splunkbase.  If you have a Cisco ASA, PIX or FWSM firewall then you will need the Splunk Technology Add-on for Cisco ASA.  This is an Enterprise Security 3 compatible add-on for reading the firewall data from those devices.  If you want to explore the data via a data model, then you will want the Common Information Model app, which turns data gathered by ES3 compatible add-ons into data models.

Cisco Security Suite for Splunk 6 Screenshot

If you are just starting out with the Cisco Security Suite, then installation is relatively painless:

  1. Install the Cisco Security Suite from your Splunk Interface
  2. If required, also install the Splunk Add-on for Cisco ASA from your Splunk Interface
  3. Copy the contents of Splunk_CiscoSecuritySuite/appserver/addons to your main apps directory
  4. Restart your Splunk server
  5. Configure the Technology Add-ons so that they receive data
  6. Enjoy!

You will note that we don’t need to install five different apps any more – everything is distributed as a package for you.  The hard part is configuring the Technology Add-ons and your devices.  If you have followed the instructions above, then two views are available to you under Cisco Security Suite -> Documentation – one walks you through configuring your Cisco firewall and the other walks you through configuring your Cisco WSA appliances.

If you are upgrading from an earlier version, then things are a little more complicated.  As a first step, you need to remove all the Splunk_Cisco* apps from your Splunk installation.  Yes – this means you won’t be collecting data for a while.  Then you will want to upgrade your Splunk installation to Splunk 6.0.2 – our latest version.  Finally, you will want to follow the steps above.

However, you are not finished there.  You will have some data that is tagged the old way – sourcetype=cisco_asa, for example – and the new data will be tagged the new way – sourcetype=cisco:asa, for example.  The subtle difference can make all the difference in your usage.  To fix this, you need to do some adjustments to the apps.

Let’s start with the field extractions.  We have new field extractions, and they are located in the props under the stanza [cisco:asa] – you want that to be [cisco_asa], so just copy it and change the stanza name – everything else stays the same.  If you are editing the configuration files, then you need to copy the props.conf with the Splunk_TA_cisco-asa and SA-cisco-asa apps from default to local before editing.  If you are using the Manager, this is exceedingly complex – I recommend editing the files by hand just this once.

Once you have the field extractions working for your old sourcetype, you can add the old sourcetype to the correct event types.  Each eventtype starts with cisco- and includes a descriptive name.  For example, eventtype=cisco-firewalls specifies a search that contains all the firewall data, so you will want to add sourcetype=”cisco_asa” to that eventtype.  This is a lot easier to do within the Manager, but hand-editing the configuration files works as well.

This is not the final version of the Cisco Security Suite v3.0.  Over the coming weeks, we intend to add back the Cisco IPS and ESA device support that was in the earlier versions, and add new Cisco security devices to the list of devices that we produce dashboards for.  The Cisco Security Suite is community supported, so feel free to post on Splunk Answers if you run into trouble – we will try our best to assist.

Posted by