Getting Data In

Missing pretrained sourcetypes

mpilking2
New Member

I have a new installation and I have only made a couple of tweaks. Specifically, I added a new props.conf and transforms.conf to /opt/splunk/etc/system/local according to this blog: http://kleinco.com.au/thoughts-events/item/forensic-timeline-splunking

I have a file with a few thousand Cisco ASA firewall syslog entries. I have installed both Splunk for Cisco Firewalls and Splunk for Cisco ASA apps.

I want to index this firewall log file via Data Inputs > Files & Directories > New. When I preview the file, it is not automatically recognized and so I choose "Apply an existing sourcetype", but there is no cisco_syslog (which should be a pretrained option from what I've read) or any other cisco or firewall options.

How do I get the ASA log file data to be parsed correctly? At a minimum, I want to see Timestamp, Source IP, Source Port, Destination IP, Destination Port, and built or denied.

Thanks!

0 Karma

sdaniels
Splunk Employee
Splunk Employee

If you have the Splunk for Cisco ASA app installed you may try skipping the preview and check the "More Settings" checkbox and manually set the sourcetype to what you expect. In order to populate the list the preview app uses, you need to make a configuration change in the current version which is not ideal.

From the app...these are the settings you want for sourcetype and index.

The sourcetype needs to be set to "cisco_asa" and the logs need to be stored in the "firewall" index.

0 Karma

sdaniels
Splunk Employee
Splunk Employee

For the "Set the sourcetype" drop down pick Manual and then manually put in the the cisco_asa sourcetype. That is what exists in the underlying config files.

0 Karma

mpilking2
New Member

Even when I skip preview and choose More Settings & Firewall index, there still is no "cisco_asa" option from the drop down list of source types.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...