All Apps and Add-ons

cisco:asa sourcetype not parsing fields correctly

tross33
Explorer

I am having issues with consistent field extraction using the cisco:asa sourcetype. The fields are very inconsistently parsed, many times making 4 or 5 events out of a single event, even separating a line in the middle of a word.

I am currently accepting syslog for these devices using rsyslog, and I am monitoring the file generated for the specific device on the local filesystem. The following is an example of the inputs.conf entry I have in the Splunk_TA_cisco-asa local directory.

[monitor:///var/log/syslog/system-111.111.111.111.log]
host_segment = 4
sourcetype = cisco:asa
disabled = false

I am running version 3.2.0 of the Splunk Add-on for Cisco ASA. I am running version 3.0.3 of Cisco Security Suite. Am I missing something? Thanks in advance.

0 Karma

mzorzi
Splunk Employee
Splunk Employee

Try to add, under the stanza above,

SHOULD_LINEMERGE=false

0 Karma

tross33
Explorer

Thank you for the response mzorzi. Unfortunately, that did not work when placed in my inputs.conf file. I believe the sourcetype should pull that from my props.conf file?

########## ASA

[source::....asa]
sourcetype = cisco:asa

[cisco:asa]
SHOULD_LINEMERGE = false
KV_MODE = auto

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...