Splunk Team,
I'm looking for log management/application profiling from Cisco ASA Firewall.
On Firewall, syslog-udp/514 is enabled towards splunk server whereas Syslog id - 106100 is disabled for all firewall policies.
Currently, threat-detection is also disabled.
What do I need to get application profiling ( like total hits per ACL) working.
Thanks
~rk
you may be interested in the Splunk for Cisco Firewalls add-on:
http://splunk-base.splunk.com/apps/22303/splunk-for-cisco-firewalls
which is part of the Splunk for Cisco Security Suite:
http://splunk-base.splunk.com/apps/22300/cisco-security-suite
Thanks Piebob !
I have installed Cisco Firewall add-on.
Although I haven't yet enabled syslog forwarding to splunk servers, the question is will it get all information for allowed firewall polices also ?
~rk
+1 on the already-built apps. They may not have exactly the view you're looking for, but they may have a starting point you can more quickly adapt from.