All Apps and Add-ons

Why am I not getting the cisco:acs sourcetype after installing Add-on for Cisco ACS 5.x?

buldamoosh
New Member

I've installed the add-on for Cisco ACS TA-cisco_acs but I am still not getting the cisco:acs sourcetype. Can anyone help me?

0 Karma

buldamoosh
New Member

I'm assuming I could key on CSCOacs in the syslog messages.
Jul 31 10:25:20 gthou-nsacs01p.energy.sug.pri Jul 31 10:25:12 gthou-nsacs01p CSCOacs_Passed_Authentications 0083647704 11
How would I phrase the Transform and where would I put it?

0 Karma

okrabbe_splunk
Splunk Employee
Splunk Employee

The TA does not automatically source type the data for you like some of the other addons. You need to either set the sourcetype by editing an input or you would need to add an entry in props.conf and transforms.conf to sourcetype by matching a pattern in the event.

Create or edit a file called props.conf. They syslog stanza should be whatever sourcetype the acs data is currently showing up as -

[syslog]
REPORT-acessourcetype = force_sourcetype_for_cisco_acs

Create or edit a file transforms.conf in etc/system/local/ -
[force_sourcetype_for_cisco_acs]
DEST_KEY = MetaData:Sourcetype
REGEX = CisACS-\d+-\d+
FORMAT = sourcetype::cisco:acs

You might need to change the regular expression to match the event exactly but if you give me an example I can help you.

iunderwood
Path Finder

Since ACS allows you to export its logs to different ports, I would also recommend opening up an explicit input for this source type. It's operationally more efficient to do so and then there isn't the risk of something being mismatched by the transform should something else creep in that unexpectedly triggers it.

0 Karma

dsmc_adv
Path Finder

what about if you want to add via web a new log file? Actually with cisco:asa in 6.2 I can add a new file to monitor and select under Network & Security -> cisco:asa but I cannot assign the cisco:acs as it not appears on the dropdown menu.

I set on TA-cisco_acs/local/props.conf with no joy

[cisco:acs]
TIME_PREFIX = ^
TIME_FORMAT = %B %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 19
pulldown_type = true
0 Karma

iunderwood
Path Finder

I can't say that I'm familiar with how file scraping operations work in Splunk for this case.

For my current case, I made a new UDP input to take in the logs:

[udp://7227]
connection_host = dns
sourcetype = cisco:acs
no_appending_timestamp = true

(Sorry for the really late reply ... I haven't been doing much Splunking in the last year or three.)

0 Karma

okrabbe_splunk
Splunk Employee
Splunk Employee

I updated the answers with a few more instructions. Please see if this is clear.

0 Karma

buldamoosh
New Member

I'm assuming I could key on CSCOacs in the syslog messages.
Jul 31 10:25:20 gthou-nsacs01p.energy.sug.pri Jul 31 10:25:12 gthou-nsacs01p CSCOacs_Passed_Authentications 0083647704 11
How would I phrase the Transform and where would I put it?

0 Karma

jodros
Builder

Are you seeing data from the ACS? What sourcetype is it showing as currently?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...