Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cisco Firewall addon data source

timbCFCA
Path Finder
‎08-09-2010 02:24 PM

Can the Cisco Firewall addon be restricted to only analyze data from a specific source or sourcetype?

I have reports from Nagios coming in which contain references that trigger the [cisco_pix] stanza in /opt/splunk/etc/apps/cisco_firewall_addon/default/transforms.conf. These are being incorrectly rewritten with the cisco_firewall sourcetype.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Will_Hayes
Splunk Employee
Splunk Employee
‎08-10-2010 12:50 AM

Hi, If you look in the default/props.conf directory you will see:

TRANSFORMS-asa=cisco_asa TRANSFORMS-pix=cisco_pix TRANSFORMS-ios=cisco_ios TRANSFORMS-fwsm=cisco_fwsm

Remove these lines, then set the data input for the actual Cisco Pix firewall to cisco_firewall. This will prevent other things from getting source-typed when it matches %PIX.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Will_Hayes
Splunk Employee
Splunk Employee
‎08-10-2010 12:50 AM

Hi, If you look in the default/props.conf directory you will see:

TRANSFORMS-asa=cisco_asa TRANSFORMS-pix=cisco_pix TRANSFORMS-ios=cisco_ios TRANSFORMS-fwsm=cisco_fwsm

Remove these lines, then set the data input for the actual Cisco Pix firewall to cisco_firewall. This will prevent other things from getting source-typed when it matches %PIX.

0 Karma
Reply
Solved! Jump to solution

timbCFCA
Path Finder
‎08-17-2010 05:09 PM

Will, Thanks.
One other thing proved useful - I updated the
TRANSFORMS-extract = cisco_firewall_hostoverride to TRANSFORMS = syslog-host. Hostname extraction was failing for some reason.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...