topic Unable to get data from ASA in Getting Data In

Unable to get data from ASA

rgraham29975 — Tue, 29 Sep 2020 13:26:16 GMT

Hi,

I am on an ASA 9.1 release, splunk 6.5.2, Splunk _TA_cisco-asa 3.2.6

I have configured the ASA syslog to send data to Splunk on port 5555.

listening on port 5555 on splunk receiving.

Please let me know what I am missing. Hopefully not too much of a newbie question:)
thanks

Re: Unable to get data from ASA

richgalloway — Fri, 31 Mar 2017 12:46:18 GMT

Are the ASA and Splunk using the same protocol (TCP vs. UDP)?

Re: Unable to get data from ASA

atari1050 — Fri, 31 Mar 2017 13:23:35 GMT

Dumb question: Are the ports open if there is a firewall?

Re: Unable to get data from ASA

dmaislin_splunk — Tue, 29 Sep 2020 13:26:27 GMT

This default app is configured for port 514 in the props.conf file in the add-on/default folder. To fix it, if you are new, just create a folder/directory called local in the add-on directory and add a new props.conf with the following information. A local props.conf with the stanzas below overrides the ones in default per the order of precedence in Splunk. Do not alter the default/props.conf file.

Directory Path: $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local/props.conf

props.conf

[source::tcp:5555]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm

[source::udp:5555]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm