topic Re: Cisco Firewall addon data source in Getting Data In

Cisco Firewall addon data source

timbCFCA — Mon, 09 Aug 2010 21:24:22 GMT

Can the Cisco Firewall addon be restricted to only analyze data from a specific source or sourcetype?

I have reports from Nagios coming in which contain references that trigger the [cisco_pix] stanza in /opt/splunk/etc/apps/cisco_firewall_addon/default/transforms.conf. These are being incorrectly rewritten with the cisco_firewall sourcetype.

Re: Cisco Firewall addon data source

Will_Hayes — Tue, 10 Aug 2010 07:50:58 GMT

Hi, If you look in the default/props.conf directory you will see:

TRANSFORMS-asa=cisco_asa TRANSFORMS-pix=cisco_pix TRANSFORMS-ios=cisco_ios TRANSFORMS-fwsm=cisco_fwsm

Remove these lines, then set the data input for the actual Cisco Pix firewall to cisco_firewall. This will prevent other things from getting source-typed when it matches %PIX.

Re: Cisco Firewall addon data source

timbCFCA — Mon, 28 Sep 2020 09:16:08 GMT

Will, Thanks.
One other thing proved useful - I updated the
TRANSFORMS-extract = cisco_firewall_hostoverride to TRANSFORMS = syslog-host. Hostname extraction was failing for some reason.