Troubleshooting guide for the Cisco Cloud Security Add-On or App for Splunk

Troubleshooting Guide: Cisco Cloud Security Add-On or App for Splunk

This guide provides answers to common questions about the Cisco Cloud Security Add-On for Splunk or the Cisco Cloud Security App for Splunk.

How to Access the Add-On and App Guides

• For information about the Cisco Cloud Security Add-On for Splunk, see Cisco Cloud Security Add-On for Splunk.
• For information about the Cisco Cloud Security App for Splunk, see Cisco Cloud Security App for Splunk.

Should I Restart Splunk After Installing the Add-On or App

• You do not have to restart your instance of Splunk after you update or configure the add-on.
• You must restart your instance of Splunk after you update or configure the app.

How to List the Secure Access or Umbrella DNS Logs in My Cisco-Managed S3 Bucket

1. Open a shell in your environment.

2. Set the environment variables for your AWS S3 bucket.

   • Set AWS_ACCESS_KEY_ID to the value of your AWS S3 bucket key.
   • Set AWS_SECRET_ACCESS_KEY to the value of your AWS S3 bucket secret.

   export AWS_ACCESS_KEY_ID=YourKey
   export AWS_SECRET_ACCESS_KEY=YourSecret
   

3. Run the AWS command-line interface (CLI) with the s3 ls command to list the Secure Access or Umbrella DNS logs.

   aws s3 ls s3://cisco-managed-us-east-2/{Yourprefix}/dnslogs –recursive
   

About Event Log Headers

We do not recommend enabling headers when you export the logs from the Cisco-managed or your own AWS S3 bucket. If you enable headers for event logs, Splunk displays the log headers with the event data. To filter out the log headers in the search results, you can add this where clause to the query:

| where NOT (Timestamp="Timestamp" OR Timestamp="Time")

How to Check the Version of Python Set Up with Your Splunk Instance

If you cannot view the Inputs page in the add-on, we recommend that you verify that your instance of Splunk is configured to run Python v3.9.x.

Note: The Cisco Cloud Security Add-On for Splunk v1.0.39 or later requires Python version 3.9.

1. Open a shell in your environment.

2. Run the Splunk CLI to get the version of Python that is running with your instance of Splunk.

   ${SPLUNK_HOME}/splunk/bin/splunk cmd python -V
   

How to Create an Input with a Self-Managed S3 Bucket

Configure an input for your self-managed S3 bucket.

1. Navigate to Inputs, and then click Create New Input.

2. For Add Cisco Cloud Security Addon, enter a Name, Interval, Index, your AWS S3 bucket settings, Default Start Date, and Event Type.

   

For information about configuring data inputs in the add-on for a Cisco-managed S3 bucket, see Cisco Cloud Security Add-On for Splunk.

Location of Logs in Splunk Enterprise or Splunk Cloud

View the Splunk log and logs for the add-on and app in your instance of Splunk.

Splunk Enterprise

• Splunkd log: ${SPLUNK_HOME}/var/log/splunk/splunkd.log
• Cisco Cloud Security Add-On for Splunk: ${SPLUNK_HOME}/var/log/splunk/cisco_cloud_security_addon.log
• Cisco Cloud Security App for Splunk: ${SPLUNK_HOME}/var/log/splunk/ciscocloudsecurity.log

Splunk Cloud

• Splunkd log: index="_internal" splunkd.log
• Cisco Cloud Security Add-On for Splunk: index="_internal" sourcetype=cisco_cloud_security_addon.log
• Cisco Cloud Security App for Splunk: index="_internal" ciscocloudsecurity.log

How to Increase the Logging Level in the Add-On

1. Sign in to your instance of Splunk, and then navigate to the add-on.

2. Navigate to Configuration, and then click on Logging.

3. For Log level, choose the logging level for the add-on.

   

How to Configure a Proxy with the Add-On

You can configure a proxy in the add-on.

1. Sign in to your instance of Splunk, and then navigate to the add-on.

2. Navigate to Configuration, and then click on Proxy.

3. For Proxy Type, choose http, and the enter the value for Host, Port, Username, and Password.

4. Click Save.

   

How to View the Configured Settings in the App

Note: You cannot view the values of the configured API access tokens.

1. Sign in to your instance of Splunk, and then navigate to the app.

2. Navigate to Application Settings.

3. Click View History.

   

How to Check the Status of the APIs

Get the status of the Cisco Umbrella or Secure Access APIs.

1. Sign in to your instance of Splunk, and then navigate to the app.

2. Navigate to Application Settings.

3. Click Show Health Status.

   

If the response code for the API requests is not 200, we recommend that you review the API credentials that you configured in the app.

Note: The default polling period or interval for the health checks is 10 minutes. You can configure the polling period in the app.

Location of the Add-On or App in a Splunk Enterprise Deployment

• Cisco Cloud Security Add-on for Splunk: ${SPLUNK_HOME}/etc/apps/TA-cisco-cloud-security-addon
• Cisco Cloud Security App for Splunk: ${SPLUNK_HOME}/etc/apps/cisco-cloud-security