All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cisco ASA and Cisco IOS

ShaunBaker
Path Finder
‎11-29-2017 05:39 PM

Hello All, I have ASAs and Routers feeding into the same data input port. I'm finding that playing around with cisco networks add-on, cisco ASA add-on, cisco networks app and cisco security suite, I'm finding there isn't a 'silver bullet' one add-on and app does it all. If using the networks add-on I get great IOS field extraction and searches, really bad firewall data in, visa versa if ASA add-on and security app with great firewall extraction and searches, no IOS. BTW both apps/Dashboards are really nice, just wish I could blend them/have a props.conf to rule them all haha.

I'm assuming trying to port one over to the other would be vein, that the regular expression extraction would be monumental or even impossible to try and get the best of both worlds.

Is the best plan to send all IOS/Router to port 'X', and all ASA to port 'y' and change the data inputs and .confs of the apps respectively? Likely won't have a lot of options in blending some panels (maybe if I get all the permissions setup right) but at least I'm getting all that stuff in, good field extractions. Any other options to try and make a Cisco app/add-on and dashboard that is comprehensive?

0 Karma
Reply

hnorvik
Explorer
‎05-09-2018 11:04 AM

We have the ASAs sending to TCP port x and routers/switches sending to udp port y.
This was done since the ASA is more chatty with number of messages and we ended up loosing some events.

Make sure you add this line to the ASA if using TCP : logging permit-hostdown
This will allow the ASA to continue passing traffic despite that the Splunk receiver is down.

By using different ports, you don't have to rely on the props and transforms to detect the sourcetype, and you can put data into the index of your choice right away. We use different index' for network and ASA data due to different retention requirements.
I don't see the reason why you need to blend them into one app.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...