hi all,
I am totally new to Splunk and almost giving up...
We have Splunk on a Windows 2008 R2 box
We are monitoring Cisco ASA firewalls and the sourcetype keeps coming tagged as "syslog" rather than "cisco:asa"
I hope an expert can point me to the right direction as I am really struggling to understand why this does not work.
Information:
Apps installed/enabled:
In my $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local directory I have the props.conf file as follows:
[source::tcp:514]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
[source::udp:514]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
[syslog]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
[source::....asa]
sourcetype = cisco:asa
[cisco:asa]
SHOULD_LINEMERGE = false
Feb 12 10:00:38 10.2.6.3 :Feb 12 10:20:21 GMT/BST: %ASA-session-4-106023: Deny tcp src EXT_INT:xx.xx.xx.xx/63613 dst PUB_DMZ_INT:xx.xx.xx.xx/25 by access-group "EXT_INT" [0x0, 0x0]
host = x.x.x.x source = udp:514 sourcetype = syslog
Hello,
I think you should have the following stanza on your inputs.conf
/opt/splunk/etc/apps/Splunk_TA_cisco-asa/default/inputs.conf
[tcp://PIX_IP:514]
source = cisco:asa
sourcetype = cisco:asa
disabled = false
Regards
hi aakwah
thank you for replying to my post.
we are on windows, and browsing the following path:
$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/default
There is no inputs.conf file there
Should I create one???SHould I have as many stanzas as ASA firewalls we are monitoring???
Also, should it be udp rather than tcp??? Should source be syslog rather than cisco:asa? the problem is sourcetype....
[udp://ASA1_IP:514]
source = cisco:asa
sourcetype = cisco:asa
disabled = false
[udp://ASA2_IP:514]
source = cisco:asa
sourcetype = cisco:asa
disabled = false
and so on???
Never add or edit a file in a default directory. Put your changes in local, instead, creating a file if required.
One should use TCP rather than UDP when possible.
ric
thanks for that....
what I cannot understand is that there must be thousands of Splunk users using the Cisco Security Suite and the Add-on.....Why there is no config guide with the parameters, etc.... I could not find anywhere on the App documentation mentioning about inputs.conf
I am lost to be honest