Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk is Classifying ASA Logs as a Sourcetype of access_combined instead of Cisco sourcetype

juanlazarosanch
New Member
‎01-02-2017 09:54 AM

I'm new to our environment here. Splunk is logging events from our Cisco ASA as a sourcetype of access_combined (see image). Is there a way to easily change that back to the original pre-trained sourcetype of Cisco?alt text

Tags (1)
Preview file
1 KB
0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎01-02-2017 10:46 AM

Hi Juan!

I would start by checking the udp input in inputs.conf to ensure the sourcetype wasn't explicitly set.

I'm not sure the access combined regex in props would ever mistake the the asa syslog...

If the sourcetype is not set on the inputs, then move to reviewing your props to see if you can identify what is causing Splunk to categorize these messages.

As for getting it back to cisco, do you have any of the Cisco TA's installed?? There is a TA for ASA that should help you properly identify these logs...

- MattyMo
0 Karma
Reply

juanlazarosanch
New Member
‎01-02-2017 02:15 PM

I found this in /opt/splunk/etc/apps/search/local/inputs.conf

[udp://514]
connection_host = dns
sourcetype = access_combined
index = network

I'm guessing since the firewalls are not explicitly defined, it is picking up the input as the specified sourcetype of access_combined.

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎01-03-2017 09:33 AM

Hey Juan, that is definitely it.

That setting explicitly sets all your logs received on that input to access_combined regardless of what they actually are.

I would double check whether your environment was set up so you would only receive weblogs on this port before changing it, but generally if you receive multiple log types on that port, you can remove the sourcetype and rely on your props.conf on the indexers to identify the sourcetype.

I would recommend you download the ASA app from splunkbase and take a look at the props/transforms to see how you can dynamically sourcetype based on message

https://splunkbase.splunk.com/app/1620/

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...