A Cisco ASA can transfer logs off of the system using either Syslog over UDP or Syslog over TCP. Neither of these is able to guarantee security or integrity.
If you are sending these to Splunk over the Internet, I would suggest you create an IPSec VPN between the ASA and the Splunk box (or an IPSec gateway [like another ASA] near the Splunk box). This will give you the security and integrity you seek.
It's not a question for Splunk really - splunk would be blissfully unaware of any type of VPN because to Splunk it's all just sockets. The question is whether the ASA can interoperate with these VPN implementations. Like, for example, the ASA cannot interoperate with OpenVPN - completely different protocol.
Yes and no. If you can configure the UF to use SSL to send data to your indexer across the internet, then it will be very close to the same level of safety. Then, the best place to tamper with / sniff your log data would be the LAN behind the ASA, between it and the UF. This is usually an acceptable risk.
Thanks dwaddle , what about if I have Universal forwarder in local LAN of Cisco ASA and collect the logs on Universal forwarder and then use universal forwarder to send the logs over internet, Is it safer way ?
