All Apps and Add-ons

Cisco ASA Add-On

jlsimmons
New Member

I really need some help setting up an ASA to run with Splunk. This is what I have done so far:

Installed Splunk and setup to receive syslog files from an ASA. - Successful

Installed the new APP "Splunk for Cisco ASA"

Installed Sideview Utils

Installed Google Maps

When I go and open up the Cisco dashboard the "Reporting Firewalls" never have any information in the fields.
I click on Inspect and see that it fails to find: search index=firewall sourcetype=cisco_asa

I have read many tutorials and can not find a definitive answer to my problems and now I am resorting to this post. Please forgive my ignorance if this is a really simple fix, but I am really really new to Splunk and just trying to learn a new skill.

Thanks in Advance,
Jim

0 Karma

kvangave
New Member

where are this app specific docs hosted

0 Karma

kenth
Splunk Employee
Splunk Employee

Version 1.0 and with the TA the sourcetype is cisco:asa not cisco_asa

Everything you need to get it running is in the docs and if it doesn work you most likely did something wrong. If you are unsure about how stuff works I recommend you read up on docs.splunk.com about how inputs,props and transforms.conf works!

nelkhour
New Member

I am having the same issue. Here is a copy of my inputs.conf on the server.

[monitor:///splunkapp/centrallog/hostasa]
index = sfsq-uiso
sourcetype = cisco_asa

But nothing is showing up in the Splunk Cisco ASA

Your help is very much appreciated.

Thank you
Nadim

0 Karma

kenth
Splunk Employee
Splunk Employee

Hey Jim,

I am guessing that you haven't pointed your incoming logs to go to the 'firewall' index. Either that or you forcing your sourcetype is being done incorrectly.

Can you please show me your inputs.conf, props.conf and transforms.conf

If you are just recieving ASA syslog on port udp514 and firewall data ONLY you could easily do it like this;

[udp://514]
index=firewall
sourcetype=cisco_asa

If you have other data coming on port 514 you need to force the sourcetype based on regex on a special word for example the %ASA-* keyword. You need to do this in props/transforms. You can find examples on how to do this in the doc and here on answers.

Thanks for downloading the app 🙂

kenth
Splunk Employee
Splunk Employee

Could you paste a snippet of your relevant logdata please. It might be that you have some errors going on.

0 Karma

jlsimmons
New Member

Ok, looks like I figured out the indexing and got it to start inputing data into the Splunk Cisco ASA, but now I can't seem to get it to input the eventtype=asa-acl into the Dashboard. I tried to create a custom event but I know I am doing something wrong.

0 Karma

jlsimmons
New Member

If you are just recieving ASA syslog on port udp514 and firewall data ONLY you could easily do it like this;

[udp://514]
index=firewall
sourcetype=cisco_asa

I really don't know exactly were to input this string. I have briefly looked in the docs section and once again they are very vague. Doing some troubleshooting I noticed that when I do a SEARCH (NOT IN THE APP) for index=firewall, it retrives nothing, so I know I have the indexing screwed up.

I have looked in Splunk\etc\apps\Splunk_for_CiscoASA\local for the files you asked about and there not any, I didn't know if I should just create new ones and add the information or what?
Any help would be greatly appriciated.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...