I really need some help setting up an ASA to run with Splunk. This is what I have done so far:
Installed Splunk and setup to receive syslog files from an ASA. - Successful
Installed the new APP "Splunk for Cisco ASA"
Installed Sideview Utils
Installed Google Maps
When I go and open up the Cisco dashboard the "Reporting Firewalls" never have any information in the fields.
I click on Inspect and see that it fails to find: search index=firewall sourcetype=cisco_asa
I have read many tutorials and can not find a definitive answer to my problems and now I am resorting to this post. Please forgive my ignorance if this is a really simple fix, but I am really really new to Splunk and just trying to learn a new skill.
Thanks in Advance,
Jim
where are this app specific docs hosted
Version 1.0 and with the TA the sourcetype is cisco:asa not cisco_asa
Everything you need to get it running is in the docs and if it doesn work you most likely did something wrong. If you are unsure about how stuff works I recommend you read up on docs.splunk.com about how inputs,props and transforms.conf works!
I am having the same issue. Here is a copy of my inputs.conf on the server.
[monitor:///splunkapp/centrallog/hostasa]
index = sfsq-uiso
sourcetype = cisco_asa
But nothing is showing up in the Splunk Cisco ASA
Your help is very much appreciated.
Thank you
Nadim
Hey Jim,
I am guessing that you haven't pointed your incoming logs to go to the 'firewall' index. Either that or you forcing your sourcetype is being done incorrectly.
Can you please show me your inputs.conf, props.conf and transforms.conf
If you are just recieving ASA syslog on port udp514 and firewall data ONLY you could easily do it like this;
[udp://514]
index=firewall
sourcetype=cisco_asa
If you have other data coming on port 514 you need to force the sourcetype based on regex on a special word for example the %ASA-* keyword. You need to do this in props/transforms. You can find examples on how to do this in the doc and here on answers.
Thanks for downloading the app 🙂
Could you paste a snippet of your relevant logdata please. It might be that you have some errors going on.
Ok, looks like I figured out the indexing and got it to start inputing data into the Splunk Cisco ASA, but now I can't seem to get it to input the eventtype=asa-acl into the Dashboard. I tried to create a custom event but I know I am doing something wrong.
If you are just recieving ASA syslog on port udp514 and firewall data ONLY you could easily do it like this;
[udp://514]
index=firewall
sourcetype=cisco_asa
I really don't know exactly were to input this string. I have briefly looked in the docs section and once again they are very vague. Doing some troubleshooting I noticed that when I do a SEARCH (NOT IN THE APP) for index=firewall, it retrives nothing, so I know I have the indexing screwed up.
I have looked in Splunk\etc\apps\Splunk_for_CiscoASA\local for the files you asked about and there not any, I didn't know if I should just create new ones and add the information or what?
Any help would be greatly appriciated.