All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sourcetype syslog

rb51
Explorer
‎02-12-2015 03:03 AM

hi all,

I am totally new to Splunk and almost giving up...

We have Splunk on a Windows 2008 R2 box

We are monitoring Cisco ASA firewalls and the sourcetype keeps coming tagged as "syslog" rather than "cisco:asa"

I hope an expert can point me to the right direction as I am really struggling to understand why this does not work.

Information:

  • Data Input setup as UDP 514 syslog

Apps installed/enabled:

  • Cisco Security Suite 3.0.3
  • Splunk Add-on for Cisco ASA 3.1.0

In my $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local directory I have the props.conf file as follows:

[source::tcp:514]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm

[source::udp:514]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm

[syslog]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm

########## ASA

[source::....asa]
sourcetype = cisco:asa

[cisco:asa]
SHOULD_LINEMERGE = false

########## Sample of data on Splunk

Feb 12 10:00:38 10.2.6.3 :Feb 12 10:20:21 GMT/BST: %ASA-session-4-106023: Deny tcp src EXT_INT:xx.xx.xx.xx/63613 dst PUB_DMZ_INT:xx.xx.xx.xx/25 by access-group "EXT_INT" [0x0, 0x0]
host = x.x.x.x source = udp:514 sourcetype = syslog

0 Karma
Reply

aakwah
Builder
‎02-12-2015 07:55 AM

Hello,

I think you should have the following stanza on your inputs.conf

/opt/splunk/etc/apps/Splunk_TA_cisco-asa/default/inputs.conf

[tcp://PIX_IP:514]
source = cisco:asa
sourcetype = cisco:asa
disabled = false

Regards

0 Karma
Reply

rb51
Explorer
‎02-12-2015 08:11 AM

hi aakwah

thank you for replying to my post.

we are on windows, and browsing the following path:

$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/default

There is no inputs.conf file there

Should I create one???SHould I have as many stanzas as ASA firewalls we are monitoring???

Also, should it be udp rather than tcp??? Should source be syslog rather than cisco:asa? the problem is sourcetype....

[udp://ASA1_IP:514]
source = cisco:asa
sourcetype = cisco:asa
disabled = false

[udp://ASA2_IP:514]
source = cisco:asa
sourcetype = cisco:asa
disabled = false

and so on???

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-12-2015 08:21 AM

Never add or edit a file in a default directory. Put your changes in local, instead, creating a file if required.

One should use TCP rather than UDP when possible.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

rb51
Explorer
‎02-12-2015 08:24 AM

ric

thanks for that....

what I cannot understand is that there must be thousands of Splunk users using the Cisco Security Suite and the Add-on.....Why there is no config guide with the parameters, etc.... I could not find anywhere on the App documentation mentioning about inputs.conf

I am lost to be honest

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...