All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cisco Security Suite/Splunk for Cisco Firewalls - input from log file

splunked38
Communicator
‎09-19-2013 03:42 AM

All,

Trying to set up CSC for firewalls but using a local log file as opposed to syslog (it's a proof of concept and we don't want to change FW configs, etc just yet)

What is done so far:

  • Installed CSC and Splunk for Cisco firewalls

  • Created a inputs.conf in the Cisco FW app directory ie: splunk_ciscofirewalls\local:

    [monitor://C:\Firewall\*cisco]

    disabled=false

  • restarted splunk

Splunk grabs the file without issue but the sourcetypes do not appear (not applying the transforms).

Note: we deliberately omitted the sourcetype as we want the app to assign the events to the respective source type as per: http://wiki.splunk.com/Set_up_Splunk_for_Cisco_Firewalls

'Do not specify a source type. The Splunk for Cisco Firewalls add-on automatically assigns source types for your Cisco ASA, FWSM, and PIX firewall events as cisco_asa, cisco_fwsm, and cisco_pix, accordingly.

Questions:

  • Is this possible to do without setting up syslog (I would imagine the answer is yes)?
  • Has anyone set this up successfully?
  • Is there a step missing?
0 Karma
Reply

emotz
Splunk Employee
Splunk Employee
‎09-19-2013 07:04 AM

Yes it is possible, look inside the props/transforms to understand what sourcetype CSS app is expecting and set that in your inputs.conf file after
disabled = false
sourcetype = cisco:asa

Not positive that is the right sourcetype - but it is probably close.

0 Karma
Reply

splunked38
Communicator
‎09-19-2013 07:55 AM

Thanks Emotz, we did that and it appears that it's processing some of the entries, I'll need to verify again tomorrow.

Note, we don't want to assign a sourcetype and would like to get the app to assign (see new note above in original call)

0 Karma
Reply

emotz
Splunk Employee
Splunk Employee
‎09-19-2013 07:13 AM

you would also need to reset your fishbucket if possible without messing everything else up to re-index the same file. Or you could use oneshot? Or you need to add another file to that directory.

If you have to index that exact file - you can also set crcSalt =
in your inputs.conf file and change the name of the file to reindex it.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...