Thanks For Downloading!
Review the documentation below and follow any custom installation steps. If no install steps are listed, most Splunk Apps and Add-ons can be installed as follows:
Unix/Linux: Decompress the downloaded file using a tool like
The Splunk for Cisco Client Security Agent (CSA) technology add-on is a collection of inputs, field extractions, and other search-time knowledge that is used to drive reporting and search for data collected from Cisco CSA devices.
This add-on can be used standalone, or it can be installed with the Cisco Security Suite umbrella app and other Cisco Security Suite apps and add-ons to provide a single pane of glass interface and get out of box reports on Cisco CSA and other Cisco technology data.
Important note: This add-on, under its new name, Splunk for Cisco Client Security Agent, replaces the older and very popular Cisco Client Security Agent Add On and contains all of the functionality of its predecessor plus the enhancements listed in the release notes below.
Additional information and download for Cisco Security Suite can be found on Splunkbase. The other Cisco Security Suite apps and add-ons include:
Installation and configuration instructions for this add-on can be found in the README file within the downloaded package.
Versions and Release Notes
Version 1.0.0 (current version - updated Mar 11, 2011)
- Updated to provide compatibility with Splunk 4.2
csa v5.2 thus far having lots of issues with this app. field extractions are not pulling the field data correctly, and, the default saved searches dont use the proper field names.
[Cisco CSA Report - Top Rule ID] cron_schedule = 0 0 * * * dispatch.earliest_time = -24h dispatch.latest_time = +0s displayview = flashtimeline enableSched = 0 request.ui_dispatch_view = flashtimeline search = sourcetype=cisco_csa | top ruleid vsid = fwibndcc
there is no field "ruleid", but there is "ruleID"
[Cisco Client Security Agent - DataCube] cron_schedule = 30 */3 * * * dispatch.earliest_time = -24h dispatch.latest_time = +0s enableSched = 1 is_visible = false search = eventtype="cisco_csa" | stats count by operation, nbtname, ruleid, _time i dont have any fields with these names (other than splunk field _time).
======================================================= in the README.txt of this app it says: First, create the following entry in props.conf, replacing the stanza name with your CSA sourcetype:
[enter_sourcetype_here] TRANSFORMS = csa_hostoverride REPORT-extract = csafields SHOULD_LINEMERGE = false
if you use the snmptrapd method to get CSA event via snmp then you do need to line merge the event data because snmptrapd writes 2 lines per event.