Re: Unable to get data from ASA

rgraham29975 · ‎03-30-2017

Hi,

I am on an ASA 9.1 release, splunk 6.5.2, Splunk _TA_cisco-asa 3.2.6

I have configured the ASA syslog to send data to Splunk on port 5555.

listening on port 5555 on splunk receiving.

Please let me know what I am missing. Hopefully not too much of a newbie question:)
thanks

dmaislin_splunk · ‎03-31-2017

This default app is configured for port 514 in the props.conf file in the add-on/default folder. To fix it, if you are new, just create a folder/directory called local in the add-on directory and add a new props.conf with the following information. A local props.conf with the stanzas below overrides the ones in default per the order of precedence in Splunk. Do not alter the default/props.conf file.

Directory Path: $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local/props.conf

props.conf

[source::tcp:5555]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm

[source::udp:5555]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm

richgalloway · ‎03-31-2017

Are the ASA and Splunk using the same protocol (TCP vs. UDP)?

---
If this reply helps you, Karma would be appreciated.

atari1050 · ‎03-31-2017

Dumb question: Are the ports open if there is a firewall?

Unable to get data from ASA

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...