Hi,
I am on an ASA 9.1 release, splunk 6.5.2, Splunk _TA_cisco-asa 3.2.6
I have configured the ASA syslog to send data to Splunk on port 5555.
listening on port 5555 on splunk receiving.
Please let me know what I am missing. Hopefully not too much of a newbie question:)
thanks
This default app is configured for port 514 in the props.conf file in the add-on/default folder. To fix it, if you are new, just create a folder/directory called local in the add-on directory and add a new props.conf with the following information. A local props.conf with the stanzas below overrides the ones in default per the order of precedence in Splunk. Do not alter the default/props.conf file.
Directory Path: $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local/props.conf
props.conf
[source::tcp:5555]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
[source::udp:5555]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
Are the ASA and Splunk using the same protocol (TCP vs. UDP)?
Dumb question: Are the ports open if there is a firewall?