https://community.splunk.com/t5/Monitoring-Splunk/Splunk-and-Cisco-ASA-No-Event-Data/m-p/40289#M6944 <P>You should not need to set any inputs.conf changes to get your Cisco ASA sourcetyped correctly. it should be set to syslog sourcetype by default, and then there's a transforms.conf that should force the sourcetype to cisco_asa by regexing a match against the incoming syslog data. Any syslog data with "%ASA-" in it should be automatically sourcetyped as cisco_asa (not cisco:asa like you have above, I believe.)</P> <P>There are a few apps out there that have a typo in them for the transforms.conf that does this, however. The stanza below is the correct one that should be in your transforms.conf under your app's default directory (check the one for the TA....). Note the commented out INCORRECT regex. The uncommented one is the one you want.</P> <PRE><CODE>[force_sourcetype_for_cisco_asa] DEST_KEY = MetaData:Sourcetype REGEX = %ASA-\d+-\d+ #REGEX = %ASA--\d+-\d+ FORMAT = sourcetype::cisco_asa </CODE></PRE> <P>Then check that your data is being sourcetyped correctly:</P> <PRE><CODE>index=* %ASA | dedup sourcetype | table sourcetype </CODE></PRE> <P>and you should be good to go.</P> Mon, 28 Sep 2020 15:45:49 GMT jbrodsky_splunk 2020-09-28T15:45:49Z https://community.splunk.com/t5/Monitoring-Splunk/Splunk-and-Cisco-ASA-No-Event-Data/m-p/40287#M6942 <P>Hello,</P> <P>I have DL'd and installed the following:</P> <P>Splunk App for Cisco ASA ver 1.0<BR /> Splunk for Cisco ASA Technology Add-on ver 1.1<BR /> Google Maps<BR /> Sideview Utils</P> <OL> <LI>My Splunk server is receiving SYSLOG from my ASA ( verified with TCP Dump )</LI> <LI>I can use a * to search the logfiles</LI> <LI>I have updated my input.conf = sourcetype=cisco:asa, index: main</LI> </OL> <P>I still am showing no data in the following:</P> <OL> <LI>Fiewall Dashboard Page</LI> <LI>Overview Page</LI> <LI>Summary Page</LI> </OL> <P>Any help much appreciated.</P> <P>Thanks,<BR /> Brian</P> Mon, 20 May 2013 23:48:52 GMT https://community.splunk.com/t5/Monitoring-Splunk/Splunk-and-Cisco-ASA-No-Event-Data/m-p/40287#M6942 brianma 2013-05-20T23:48:52Z https://community.splunk.com/t5/Monitoring-Splunk/Splunk-and-Cisco-ASA-No-Event-Data/m-p/40288#M6943 <P>Splunk Add-on for Cisco ASA</P> <P>I do not see this information below to make the change </P> <PRE><CODE>My Splunk server is receiving SYSLOG from my ASA ( verified with TCP Dump ) I can use a * to search the logfiles I have updated my input.conf = sourcetype=cisco:asa, index: main </CODE></PRE> Wed, 29 Jan 2014 15:45:48 GMT https://community.splunk.com/t5/Monitoring-Splunk/Splunk-and-Cisco-ASA-No-Event-Data/m-p/40288#M6943 rshorter 2014-01-29T15:45:48Z https://community.splunk.com/t5/Monitoring-Splunk/Splunk-and-Cisco-ASA-No-Event-Data/m-p/40289#M6944 <P>You should not need to set any inputs.conf changes to get your Cisco ASA sourcetyped correctly. it should be set to syslog sourcetype by default, and then there's a transforms.conf that should force the sourcetype to cisco_asa by regexing a match against the incoming syslog data. Any syslog data with "%ASA-" in it should be automatically sourcetyped as cisco_asa (not cisco:asa like you have above, I believe.)</P> <P>There are a few apps out there that have a typo in them for the transforms.conf that does this, however. The stanza below is the correct one that should be in your transforms.conf under your app's default directory (check the one for the TA....). Note the commented out INCORRECT regex. The uncommented one is the one you want.</P> <PRE><CODE>[force_sourcetype_for_cisco_asa] DEST_KEY = MetaData:Sourcetype REGEX = %ASA-\d+-\d+ #REGEX = %ASA--\d+-\d+ FORMAT = sourcetype::cisco_asa </CODE></PRE> <P>Then check that your data is being sourcetyped correctly:</P> <PRE><CODE>index=* %ASA | dedup sourcetype | table sourcetype </CODE></PRE> <P>and you should be good to go.</P> Mon, 28 Sep 2020 15:45:49 GMT https://community.splunk.com/t5/Monitoring-Splunk/Splunk-and-Cisco-ASA-No-Event-Data/m-p/40289#M6944 jbrodsky_splunk 2020-09-28T15:45:49Z