If you are just recieving ASA syslog on port udp514 and firewall data ONLY you could easily do it like this;
[udp://514]
index=firewall
sourcetype=cisco_asa
I really don't know exactly were to input this string. I have briefly looked in the docs section and once again they are very vague. Doing some troubleshooting I noticed that when I do a SEARCH (NOT IN THE APP) for index=firewall, it retrives nothing, so I know I have the indexing screwed up.
I have looked in Splunk\etc\apps\Splunk_for_CiscoASA\local for the files you asked about and there not any, I didn't know if I should just create new ones and add the information or what?
Any help would be greatly appriciated.
... View more