Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cisco Firewall addon data source

timbCFCA
Path Finder
‎08-09-2010 02:24 PM

Can the Cisco Firewall addon be restricted to only analyze data from a specific source or sourcetype?

I have reports from Nagios coming in which contain references that trigger the [cisco_pix] stanza in /opt/splunk/etc/apps/cisco_firewall_addon/default/transforms.conf. These are being incorrectly rewritten with the cisco_firewall sourcetype.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Will_Hayes
Splunk Employee
Splunk Employee
‎08-10-2010 12:50 AM

Hi, If you look in the default/props.conf directory you will see:

TRANSFORMS-asa=cisco_asa TRANSFORMS-pix=cisco_pix TRANSFORMS-ios=cisco_ios TRANSFORMS-fwsm=cisco_fwsm

Remove these lines, then set the data input for the actual Cisco Pix firewall to cisco_firewall. This will prevent other things from getting source-typed when it matches %PIX.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Will_Hayes
Splunk Employee
Splunk Employee
‎08-10-2010 12:50 AM

Hi, If you look in the default/props.conf directory you will see:

TRANSFORMS-asa=cisco_asa TRANSFORMS-pix=cisco_pix TRANSFORMS-ios=cisco_ios TRANSFORMS-fwsm=cisco_fwsm

Remove these lines, then set the data input for the actual Cisco Pix firewall to cisco_firewall. This will prevent other things from getting source-typed when it matches %PIX.

0 Karma
Reply
Solved! Jump to solution

timbCFCA
Path Finder
‎08-17-2010 05:09 PM

Will, Thanks.
One other thing proved useful - I updated the
TRANSFORMS-extract = cisco_firewall_hostoverride to TRANSFORMS = syslog-host. Hostname extraction was failing for some reason.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...