I have syslog-ng configured on the same Splunk server to receive syslogs from our Cisco ASA with FireSIGHT. (Will be changing to a seperate syslog server eventually but need to solve this issue before the migration at a later date). The ASA firewall data is being sent to /var/log/cisco_asa and the FireSIGHT data is being sent to /var/log/sourcefire on the Splunk server from the ASA appliance. I have Cisco Security Center, eStreamer for Splunk, Splunk Add-on for Cisco ASA, and Splunk Add-on for Cisco FireSIGHT installed.
I have the /var/log/cisco_asa folder being monitored via Splunk's local inputs under the cisco:asa sourcetype and I am able to see the firewall data with charts on Cisco Security Center app but I am not sure how to see the FireSight IPS data with charts. What sourcetype should I set it up under and what app should I use to see the data? I tried the eStreamer for Splunk app and it seems to only work if data is forwarded from the estreamer port, but not syslog.
You are right, the eStreamer app doesn't use syslog. But if you can use eStreamer, why do you feel you need the syslog data from FMC? eStreamer covers all use cases.
From what I remember when we started migrating a few years ago to the firesight stuff, the syslog on it's broken. It just doesn't log all the information one needs in so many cases. The eStreamer app gets the complete data in a timely fashion. So, if I had a suggestion, it is to use eStreamer to collect FMC (e.g. firesight) data, and not worry about syslog for those.
(As it is now, we syslog ASA data and some other similar, we use eStreamer for FireSIGHT and the FMC portions, and we also use the AMP API for all AMP stuff. All three coexist quite nicely.)