I am trying to figure out which directory the Splunk Add-on for Cisco ESA is sending the data to Splunk as noted on step 4 "Click Browse next to the File or Directory field."
http://docs.splunk.com/Documentation/AddOns/released/CiscoESA/Configureinputsonaforwarder
I can search against the data but it is not indexing correctly. The source type is syslog. I tried to run searching within Splunk but cannot find where the logs are being stored in.
Hi Randino,
Seems your ESA system was configured to send syslog to Splunk over TCP or UDP rather than through monitor inputs. If this is the case, you should for configuration steps in the following topic:
Also, by " but cannot find where the logs are being stored in", did you mean you want to know where to locate the ESA logs before indexing? If so, you might as well consult the Cisco ESA docs, for example:
Hope it helps. Thanks!
On the first part, I did configure the ESA to go through UDP 514 Syslog. I want to configure the monitor inputs to configure text mail logs, HTTP logs, and authentication logs. Step 4 of the guide says to browse to the FILE or Directory within Splunk. I want to know where that file is located.
Second part.
Not on the ESA but Splunk
Randino,
You'll need to copy the logs files over from your ESA device using SCP to a Splunk UF and then monitor those files and assign the proper sourcetype from there.
Hi Randino,
Please note which Splunk component below you use to collect data from Cisco ESA:
Regarding your log location questions, I think you can find detailed answers in the doc:
http://docs.splunk.com/Documentation/AddOns/released/CiscoESA/ConfigureCiscoESA
Hope it helps. Thanks!
Hi Randino,
Apologies if i am misunderstanding your question.
This step is asking for you to point Splunk to the Cisco ESA Log file that is being generated from your Cisco ESA installation not a file generated in a Splunk Directory.
Splunk will index and store data into buckets. http://docs.splunk.com/Documentation/Splunk/6.4.3/Indexer/HowSplunkstoresindexes
Lets focus on what the issue is with the data not indexing correctly? Whats happening and what are you expecting?
Thank you for the reply.
I have already configured the ESA to send mail logs to Splunk on UDP 514. The mail logs are making it to Splunk. I want the data to populate within Cisco Security Suite. I am trying to do step 4 on the guide Browse to the file directory where the ESA logs are located.
I want to know where the logs from the ESA are being created or where do I need to point Monitor Inputs.