Cisco ASA TA wrong sourcetype

ebaileytu · ‎05-12-2014

I am trying to get the Cisco sourcetype for ASA data to work. cisco:asa I have installed the TA on the heavy forwarder, Indexer and Search Head.

In the TA folder, I created a local dir and put the props in the local dir. I am logging to the file system using rsyslog so I set the source to the path to the rsyslog file

[source::/opt/logs/all_logs]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm

This is not working. All I get is cisco_asa as the sourcetype for all ASA traffic.

Any ideas?

Thanks

Ed

ejwade · ‎02-06-2018

Hey, Ed.

It sounds like you're monitoring a local directory on a syslog server. Try creating a local/inputs.conf file with the monitor stanza, and only assign sourcetype = syslog:

[monitor:///opt/logs/all_logs]
diabled = false
sourcetype = syslog

Also - make sure the hostname in the ASA is configured correct, as well as this command:

asa(config)#logging device-id hostname

The Add-on should pull out the hostname accurately. This worked for me. I didn't edit transforms or props. Let me know if it works!

Ed (as well)

jconger · ‎05-13-2014

Can you post your props.conf file? The sample lines you posted should match the REGEX specified. There may be something in props.conf that can offer more clues.

ebaileytu · ‎05-20-2014

Any more ideas? I also tried syslog as the source for the props with really inconsistent results. Some data is cisco:asa and other data is syslog_asa even from the same device.

Thanks!

ebaileytu · ‎05-13-2014

ok - that did not come out right

I will only include the part of the default props i used

########## Global

[source::/opt/log/all_logs]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm

########## ASA

ebaileytu · ‎05-13-2014

This may have been a sad assumption on my part. I copied the props.conf out of default and put it into local and only used the following with an update for the actual source of the log data

props.conf

[source::/opt/log/all_logs]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm

dmaislin_splunk · ‎05-13-2014

Can you tell me if the original sourcetype of the data you are pulling in is the syslog sourcetype?

ebaileytu · ‎05-13-2014

sure - thanks!

May 13 15:33:57 xxxxxxxxxxxxxxxxx %ASA-6-302014: Teardown TCP connection 3360473173 for INTERNET-OUTSIDE:xx.xx.xx.xx/34802 to MD-DMZ-F5:xx.xx.xx.xx/443 duration 0:00:56 bytes 7192 TCP FINs

May 13 15:33:57 xxxxxxxxxxxxxxxxx %ASA-6-302014: Teardown TCP connection 848603646 for LAN1:xx.xx.xx.xx/48529 to LAN2:xx.xx.xx.xx/8501 duration 0:00:00 bytes 1848 TCP FINs

dmaislin_splunk · ‎05-13-2014

Post a sample of some events of the raw log so we can examine them and help you with the transforms/regex.

ebaileytu · ‎05-13-2014

yes - the sourcetype is syslog

jconger · ‎05-13-2014

You may need to modify the REGEX on the [force_sourcetype_for_cisco_*] stanzas in transforms.conf if your log files don't match correctly. I have seen this in one other instance where the log format coming from the devices wasn't quite the same as the transforms.conf stanza expected.

ebaileytu · ‎05-13-2014

well why does the cisco_asa sourcetype match? I am sure I am not understanding something. I will check to see what else I can find.