https://community.splunk.com/t5/Getting-Data-In/Changing-sourcetype-for-FWSM/m-p/11208#M531 <P>All data is received on UDP port 514. The file I changed in firewall_addon was the configuration option under app management in Splunk.</P> Sat, 10 Apr 2010 05:54:51 GMT pillowhead 2010-04-10T05:54:51Z https://community.splunk.com/t5/Getting-Data-In/Changing-sourcetype-for-FWSM/m-p/11206#M529 <P>Hi, I just installed cisco_firewall_addon for version 4.1 of splunk and I am having some issues. I have an ASA and a FWSM that I want to be recognized as a cisco_firewall sourcetype. The ASA is correctly recognized, but the FWSM is still categorized as cisco_syslog. I already went into the cisco_firewall_addon app config and changed it from %ASA OR %PIX to %ASA OR %PIX OR %FWSM and restarted, but that didn't resolve the issue. How do I change the FWSM to be recognized as cisco_firewall?</P> Fri, 09 Apr 2010 23:23:14 GMT https://community.splunk.com/t5/Getting-Data-In/Changing-sourcetype-for-FWSM/m-p/11206#M529 pillowhead 2010-04-09T23:23:14Z https://community.splunk.com/t5/Getting-Data-In/Changing-sourcetype-for-FWSM/m-p/11207#M530 <P>0</P> <P>How are you receiving the data? All syslog on the same port? What file did you change in the firewall_addon app?</P> Sat, 10 Apr 2010 04:25:28 GMT https://community.splunk.com/t5/Getting-Data-In/Changing-sourcetype-for-FWSM/m-p/11207#M530 dskillman 2010-04-10T04:25:28Z https://community.splunk.com/t5/Getting-Data-In/Changing-sourcetype-for-FWSM/m-p/11208#M531 <P>All data is received on UDP port 514. The file I changed in firewall_addon was the configuration option under app management in Splunk.</P> Sat, 10 Apr 2010 05:54:51 GMT https://community.splunk.com/t5/Getting-Data-In/Changing-sourcetype-for-FWSM/m-p/11208#M531 pillowhead 2010-04-10T05:54:51Z https://community.splunk.com/t5/Getting-Data-In/Changing-sourcetype-for-FWSM/m-p/11209#M532 <P>Hello, We are in the process of updating the Cisco Firewall Add-on to support FWSM but for now there are a couple of steps you can take manually and this should get things working for you.</P> <P>in the local directory of the app you need to create a transforms.conf, props.conf and eventtypes.conf file if you have not done so already.</P> <P>In transforms add the following stanza: </P> <P>[cisco_fwsm]<BR /> DEST_KEY = MetaData:Sourcetype<BR /> REGEX = (%FWSM)<BR /> FORMAT = sourcetype::cisco_firewall<BR /></P> <P>in props.conf add the following to the top of the file:</P> <P>TRANSFORMS-pix=cisco_fwsm</P> <P>in eventtypes.conf add the following stanza:</P> <P>[cisco_firewall]<BR /> search = %ASA OR %PIX OR %FWSM<BR /> tags = cisco firewall</P> <P>This should be all you need to get the add-on working correctly with your firewall. Please let us know how it works out for you. </P> Mon, 12 Apr 2010 09:01:03 GMT https://community.splunk.com/t5/Getting-Data-In/Changing-sourcetype-for-FWSM/m-p/11209#M532 Will_Hayes 2010-04-12T09:01:03Z https://community.splunk.com/t5/Getting-Data-In/Changing-sourcetype-for-FWSM/m-p/11210#M533 <P>That fixed it. Thanks!</P> Tue, 13 Apr 2010 02:47:08 GMT https://community.splunk.com/t5/Getting-Data-In/Changing-sourcetype-for-FWSM/m-p/11210#M533 pillowhead 2010-04-13T02:47:08Z https://community.splunk.com/t5/Getting-Data-In/Changing-sourcetype-for-FWSM/m-p/11211#M534 <P>@pillowhead - since @Will Hayes's answer below answered your question, you should click the checkmark next to his answer so he'll get the reputation points for a good answer (and you'll get 2 points for your trouble). thanks!</P> Wed, 14 Apr 2010 03:08:03 GMT https://community.splunk.com/t5/Getting-Data-In/Changing-sourcetype-for-FWSM/m-p/11211#M534 Justin_Grant 2010-04-14T03:08:03Z