I'm new to our environment here. Splunk is logging events from our Cisco ASA as a sourcetype of access_combined (see image). Is there a way to easily change that back to the original pre-trained sourcetype of Cisco?
Hi Juan!
I would start by checking the udp input in inputs.conf to ensure the sourcetype wasn't explicitly set.
I'm not sure the access combined regex in props would ever mistake the the asa syslog...
If the sourcetype is not set on the inputs, then move to reviewing your props to see if you can identify what is causing Splunk to categorize these messages.
As for getting it back to cisco, do you have any of the Cisco TA's installed?? There is a TA for ASA that should help you properly identify these logs...
I found this in /opt/splunk/etc/apps/search/local/inputs.conf
[udp://514]
connection_host = dns
sourcetype = access_combined
index = network
I'm guessing since the firewalls are not explicitly defined, it is picking up the input as the specified sourcetype of access_combined.
Hey Juan, that is definitely it.
That setting explicitly sets all your logs received on that input to access_combined regardless of what they actually are.
I would double check whether your environment was set up so you would only receive weblogs on this port before changing it, but generally if you receive multiple log types on that port, you can remove the sourcetype and rely on your props.conf on the indexers to identify the sourcetype.
I would recommend you download the ASA app from splunkbase and take a look at the props/transforms to see how you can dynamically sourcetype based on message
https://splunkbase.splunk.com/app/1620/