I have a new installation and I have only made a couple of tweaks. Specifically, I added a new props.conf and transforms.conf to /opt/splunk/etc/system/local according to this blog: http://kleinco.com.au/thoughts-events/item/forensic-timeline-splunking
I have a file with a few thousand Cisco ASA firewall syslog entries. I have installed both Splunk for Cisco Firewalls and Splunk for Cisco ASA apps.
I want to index this firewall log file via Data Inputs > Files & Directories > New. When I preview the file, it is not automatically recognized and so I choose "Apply an existing sourcetype", but there is no cisco_syslog (which should be a pretrained option from what I've read) or any other cisco or firewall options.
How do I get the ASA log file data to be parsed correctly? At a minimum, I want to see Timestamp, Source IP, Source Port, Destination IP, Destination Port, and built or denied.
Thanks!
... View more