https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179397#M35988 <P>Could you try adding the following to the udp://514 stanza:</P> <PRE><CODE>sourcetype=syslog </CODE></PRE> <P>This should work as I have more than a dozen customer installs where the sourcetype is set as syslog, and add-ons such as Cisco ASA add-on and Cisco Networks add-on change the sourcetype based on a transform. This works out of the box with a lot of apps.</P> <P>Make sure you do not set a value for the <EM>source</EM> field, only <EM>sourcetype</EM>.</P> Fri, 20 Mar 2015 02:40:39 GMT mikaelbje 2015-03-20T02:40:39Z https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179386#M35977 <P>Hi All,</P> <P>I have been having issues with getting logs into splunk from our cisco fwsm. When I open up wireshark I can see network traffic coming in but it does not hit any index. To prove this theory I searched all of the potential indexes plus looked up via IP address. I am not sure where to start to troubleshoot. Does anyone know about debug logs that I can review? I have installed and configured the app as per guidelines written by cisco so I am pretty sure that is ok. Any help would be appreciated.</P> Wed, 18 Mar 2015 00:09:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179386#M35977 domenico_perre 2015-03-18T00:09:13Z https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179387#M35978 <P>Also I have added the following as a catchall just in case and it is still not working. I have specified both main and ciscocore as the index and no luck.</P> <P>Path Splunk\etc\system\local</P> <P>props.conf<BR /> [host::x.x.x.x]<BR /> TRANSFORMS-index=sendFirewallLogs</P> <P>[host::x.x.x.x]<BR /> TRANSFORMS-index=sendFirewallLogs2</P> <P>[sendFirewallLogs]<BR /> REGEX=.<BR /> DEST_KEY=_MetaData:Index<BR /> FORMAT=main<BR /> WRITE_META=true</P> <P>[sendFirewallLogs2]<BR /> REGEX=.<BR /> DEST_KEY=_MetaData:Index<BR /> FORMAT=main<BR /> WRITE_META=true</P> Mon, 28 Sep 2020 19:10:56 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179387#M35978 domenico_perre 2020-09-28T19:10:56Z https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179388#M35979 <P>Could you paste the contents of your inputs.conf? You should have a stanza for UDP port 514 or any other port you chose.</P> Wed, 18 Mar 2015 06:56:03 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179388#M35979 mikaelbje 2015-03-18T06:56:03Z https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179389#M35980 <P>My inputs.conf is in a default state. </P> <P>I can confirm that there is a setting in data inputs and receiving for port 514 and a netstat -ano | findstr "514" shows the UDP port.</P> Thu, 19 Mar 2015 00:49:25 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179389#M35980 domenico_perre 2015-03-19T00:49:25Z https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179390#M35981 <P>And no data for FWSM when you search:</P> <PRE><CODE>index=* </CODE></PRE> <P>Over all time? All time because we want to rule out any timestamp issues.</P> <P>Just a wild guess, but could it be the windows firewall?</P> Thu, 19 Mar 2015 02:22:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179390#M35981 mikaelbje 2015-03-19T02:22:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179391#M35982 <P>Nah its cisco fwsm. Yeah I tried the index=* and there was nothing in the logs. So for a little more background it was working previously but then stopped one day. I am not sure why though. So historic data is still available but not current data.</P> <P>Thanks for your help. Splunk answers was my last ditch effort as I have gone through most of the articles on splunk answers but with no luck :(.</P> <P>The old bucket it was going to was 'main'</P> Thu, 19 Mar 2015 03:08:52 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179391#M35982 domenico_perre 2015-03-19T03:08:52Z https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179392#M35983 <P>What I meant was if it could be the Windows firewall blocking inbound connections on UDP port 514, or perhaps another local firewall?</P> <P>I assume the traffic you saw in your wireshark capture was coming in on UDP 514? 100% sure no one changed it to TCP on the FWSM?</P> Thu, 19 Mar 2015 06:07:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179392#M35983 mikaelbje 2015-03-19T06:07:12Z https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179393#M35984 <P>Yeah 100% its on UDP and firewall is not interfering :). As there is other syslog data coming in on the same port. Is there any debug logs that I can enable to see why an index is not receiving data?</P> Thu, 19 Mar 2015 06:11:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179393#M35984 domenico_perre 2015-03-19T06:11:42Z https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179394#M35985 <P>Not too sure about what log this would go in, but splunkd.log and splunkd_stdout.log and splunkd_stderr.log would be my guesses.</P> Mon, 28 Sep 2020 19:15:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179394#M35985 mikaelbje 2020-09-28T19:15:01Z https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179395#M35986 <P>So I started splunk in debug mode and noticed the following event with the correct source IP of my firewall. So it seems that the data is being accepted but not sure where though.</P> <P>03-20-2015 08:34:30.821 DEBUG UDPInputProcessor - event=data from=x.x.x.x status=accepted</P> Thu, 19 Mar 2015 22:24:16 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179395#M35986 domenico_perre 2015-03-19T22:24:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179396#M35987 <P>So I am going to answer my own question which is a good thing I guess. The way I understand the issue was the following:</P> <OL> <LI>In Settings | Data Inputs | UDP | 514 the sourcetype was forced to syslog.</LI> <LI>The transforms that are part of the cisco ASA /fwsm app install state that the source type is a cisco fwsm.</LI> <LI>I had previous data in the main index that was specified as sourcetype cisco:fwsm</LI> <LI>The two transforms, 'syslog' (that is forced on the Data inputs) and 'cisco:fwsm' (that is forced from the cisco app) were competing against each other and thus the firewall event was dropped.</LI> </OL> <P>How did I resolve this. I removed the source 514 from the GUI.<BR /> In inputs.conf I added the following lines.</P> <P>[udp://514]<BR /> connection_host = ip</P> <P>Restarted splunk and it started working. So the issue which did not rear its ugly head in any debug logs was because of competing transforms I believe. That moment when you hit the Splunk matrix and everything just works!!!</P> Fri, 20 Mar 2015 00:08:07 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179396#M35987 domenico_perre 2015-03-20T00:08:07Z https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179397#M35988 <P>Could you try adding the following to the udp://514 stanza:</P> <PRE><CODE>sourcetype=syslog </CODE></PRE> <P>This should work as I have more than a dozen customer installs where the sourcetype is set as syslog, and add-ons such as Cisco ASA add-on and Cisco Networks add-on change the sourcetype based on a transform. This works out of the box with a lot of apps.</P> <P>Make sure you do not set a value for the <EM>source</EM> field, only <EM>sourcetype</EM>.</P> Fri, 20 Mar 2015 02:40:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179397#M35988 mikaelbje 2015-03-20T02:40:39Z https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179398#M35989 <P>As soon as I put that field in under the stanza and restarted the splunk service, logs stopped working. </P> Fri, 20 Mar 2015 03:02:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179398#M35989 domenico_perre 2015-03-20T03:02:45Z https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179399#M35990 <P>Could you paste the output of the following commands?</P> <P>Go to your Splunk working dir/bin</P> <PRE><CODE>./splunk cmd btool props list syslog --debug ./splunk cmd btool inputs list --debug </CODE></PRE> Fri, 20 Mar 2015 05:41:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-can-see-network-traffic-but-no-data-is/m-p/179399#M35990 mikaelbje 2015-03-20T05:41:39Z