All Apps and Add-ons

Cisco Security Suite/Splunk for Cisco Firewalls - input from log file

splunked38
Communicator

All,

Trying to set up CSC for firewalls but using a local log file as opposed to syslog (it's a proof of concept and we don't want to change FW configs, etc just yet)

What is done so far:

  • Installed CSC and Splunk for Cisco firewalls
  • Created a inputs.conf in the Cisco FW app directory ie: splunk_ciscofirewalls\local:

    [monitor://C:\Firewall\*cisco]

    disabled=false

  • restarted splunk

Splunk grabs the file without issue but the sourcetypes do not appear (not applying the transforms).

Note: we deliberately omitted the sourcetype as we want the app to assign the events to the respective source type as per: http://wiki.splunk.com/Set_up_Splunk_for_Cisco_Firewalls

'Do not specify a source type. The Splunk for Cisco Firewalls add-on automatically assigns source types for your Cisco ASA, FWSM, and PIX firewall events as cisco_asa, cisco_fwsm, and cisco_pix, accordingly.

Questions:

  • Is this possible to do without setting up syslog (I would imagine the answer is yes)?
  • Has anyone set this up successfully?
  • Is there a step missing?
0 Karma

emotz
Splunk Employee
Splunk Employee

Yes it is possible, look inside the props/transforms to understand what sourcetype CSS app is expecting and set that in your inputs.conf file after
disabled = false
sourcetype = cisco:asa

Not positive that is the right sourcetype - but it is probably close.

0 Karma

splunked38
Communicator

Thanks Emotz, we did that and it appears that it's processing some of the entries, I'll need to verify again tomorrow.

Note, we don't want to assign a sourcetype and would like to get the app to assign (see new note above in original call)

0 Karma

emotz
Splunk Employee
Splunk Employee

you would also need to reset your fishbucket if possible without messing everything else up to re-index the same file. Or you could use oneshot? Or you need to add another file to that directory.

If you have to index that exact file - you can also set crcSalt =
in your inputs.conf file and change the name of the file to reindex it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...