Getting Data In

Missing pretrained sourcetypes

mpilking2
New Member

I have a new installation and I have only made a couple of tweaks. Specifically, I added a new props.conf and transforms.conf to /opt/splunk/etc/system/local according to this blog: http://kleinco.com.au/thoughts-events/item/forensic-timeline-splunking

I have a file with a few thousand Cisco ASA firewall syslog entries. I have installed both Splunk for Cisco Firewalls and Splunk for Cisco ASA apps.

I want to index this firewall log file via Data Inputs > Files & Directories > New. When I preview the file, it is not automatically recognized and so I choose "Apply an existing sourcetype", but there is no cisco_syslog (which should be a pretrained option from what I've read) or any other cisco or firewall options.

How do I get the ASA log file data to be parsed correctly? At a minimum, I want to see Timestamp, Source IP, Source Port, Destination IP, Destination Port, and built or denied.

Thanks!

0 Karma

sdaniels
Splunk Employee
Splunk Employee

If you have the Splunk for Cisco ASA app installed you may try skipping the preview and check the "More Settings" checkbox and manually set the sourcetype to what you expect. In order to populate the list the preview app uses, you need to make a configuration change in the current version which is not ideal.

From the app...these are the settings you want for sourcetype and index.

The sourcetype needs to be set to "cisco_asa" and the logs need to be stored in the "firewall" index.

0 Karma

sdaniels
Splunk Employee
Splunk Employee

For the "Set the sourcetype" drop down pick Manual and then manually put in the the cisco_asa sourcetype. That is what exists in the underlying config files.

0 Karma

mpilking2
New Member

Even when I skip preview and choose More Settings & Firewall index, there still is no "cisco_asa" option from the drop down list of source types.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...