I am new to splunk and need some help is basic terms on how to setup splunk to work with my ASA5510 to be able to report on VPN user login/logout times and data and also users internet useage. I have splunk setup as the syslog server and receiving all the log data from the ASA. I have downloaded the Cisco add ins for WebIron and Firewall but do no know how to get them setup or if they are the correct apps. My ASA has the Trend Micro CSC module. If anyone could please tell me how or if splunk is able to do what I need. I have watched the how to video but it deals more with how to get searches from web servers not how to get info from syslog data.I also have the window event log collecting but that is the next step first I need to get the syslog data working. I appreciate any help.
Hi llreilly, if you already have Splunk collecting your Cisco ASA firewall messages via syslog and you have the Splunk for Cisco Firewalls Add-on installed, you only need to make sure those syslog messages are sourcetyped correctly.
There is also additional configuration information contained within the add-ons readme file.
Once you sourcetype the incoming events you will be able to search on those from the Search App. To see Cisco Firewall specific dashboard, install the Cisco Security Suite: http://splunkbase.splunk.com/apps/All/4.x/Suite/app:Cisco+Security+Suite
teach splunk to read data from log 3 Answers
Problem reading syslog events 4 Answers