On Splunk version 5.0.1, build 143156, this app will not correctly extract time from ASA syslog messages without some tweaking. You will need to modify the app's props.conf file to get it working.
Mine was located here: /opt/splunk/etc/apps/Splunk_CiscoFirewalls/default
You want to modify this:
[cisco_firewall]
MAX_TIMESTAMP_LOOKAHEAD=19
To this:
[cisco_firewall]
MAX_TIMESTAMP_LOOKAHEAD=28
This will fix timestamp extraction and allow your events to show up and be indexed at the correct time.
... View more