Can the Cisco Firewall addon be restricted to only analyze data from a specific source or sourcetype?
I have reports from Nagios coming in which contain references that trigger the [cisco_pix] stanza in /opt/splunk/etc/apps/cisco_firewall_addon/default/transforms.conf. These are being incorrectly rewritten with the cisco_firewall sourcetype.
Hi, If you look in the default/props.conf directory you will see:
TRANSFORMS-asa=cisco_asa TRANSFORMS-pix=cisco_pix TRANSFORMS-ios=cisco_ios TRANSFORMS-fwsm=cisco_fwsm
Remove these lines, then set the data input for the actual Cisco Pix firewall to cisco_firewall. This will prevent other things from getting source-typed when it matches %PIX.
Hi, If you look in the default/props.conf directory you will see:
TRANSFORMS-asa=cisco_asa TRANSFORMS-pix=cisco_pix TRANSFORMS-ios=cisco_ios TRANSFORMS-fwsm=cisco_fwsm
Remove these lines, then set the data input for the actual Cisco Pix firewall to cisco_firewall. This will prevent other things from getting source-typed when it matches %PIX.
Will, Thanks.
One other thing proved useful - I updated the
TRANSFORMS-extract = cisco_firewall_hostoverride to TRANSFORMS = syslog-host. Hostname extraction was failing for some reason.