All,
Trying to set up CSC for firewalls but using a local log file as opposed to syslog (it's a proof of concept and we don't want to change FW configs, etc just yet)
What is done so far:
Created a inputs.conf in the Cisco FW app directory ie: splunk_ciscofirewalls\local:
[monitor://C:\Firewall\*cisco]
disabled=false
restarted splunk
Splunk grabs the file without issue but the sourcetypes do not appear (not applying the transforms).
Note: we deliberately omitted the sourcetype as we want the app to assign the events to the respective source type as per: http://wiki.splunk.com/Set_up_Splunk_for_Cisco_Firewalls
'Do not specify a source type. The Splunk for Cisco Firewalls add-on automatically assigns source types for your Cisco ASA, FWSM, and PIX firewall events as cisco_asa, cisco_fwsm, and cisco_pix, accordingly.
Questions:
Yes it is possible, look inside the props/transforms to understand what sourcetype CSS app is expecting and set that in your inputs.conf file after
disabled = false
sourcetype = cisco:asa
Not positive that is the right sourcetype - but it is probably close.
Thanks Emotz, we did that and it appears that it's processing some of the entries, I'll need to verify again tomorrow.
Note, we don't want to assign a sourcetype and would like to get the app to assign (see new note above in original call)
you would also need to reset your fishbucket if possible without messing everything else up to re-index the same file. Or you could use oneshot? Or you need to add another file to that directory.
If you have to index that exact file - you can also set crcSalt =