All Apps and Add-ons
Highlighted

Cisco ASA TA wrong sourcetype

Communicator

I am trying to get the Cisco sourcetype for ASA data to work. cisco:asa I have installed the TA on the heavy forwarder, Indexer and Search Head.

In the TA folder, I created a local dir and put the props in the local dir. I am logging to the file system using rsyslog so I set the source to the path to the rsyslog file

[source::/opt/logs/alllogs]
TRANSFORMS-force
sourcetypeforcisco = forcesourcetypeforciscoasa,forcesourcetypeforciscopix,forcesourcetypeforciscofwsm

This is not working. All I get is cisco_asa as the sourcetype for all ASA traffic.

Any ideas?

Thanks

Ed

0 Karma
Highlighted

Re: Cisco ASA TA wrong sourcetype

Splunk Employee
Splunk Employee

You may need to modify the REGEX on the [forcesourcetypeforcisco*] stanzas in transforms.conf if your log files don't match correctly. I have seen this in one other instance where the log format coming from the devices wasn't quite the same as the transforms.conf stanza expected.

0 Karma
Highlighted

Re: Cisco ASA TA wrong sourcetype

Communicator

well why does the cisco_asa sourcetype match? I am sure I am not understanding something. I will check to see what else I can find.

0 Karma
Highlighted

Re: Cisco ASA TA wrong sourcetype

Splunk Employee
Splunk Employee

Can you tell me if the original sourcetype of the data you are pulling in is the syslog sourcetype?

0 Karma
Highlighted

Re: Cisco ASA TA wrong sourcetype

Communicator

yes - the sourcetype is syslog

0 Karma
Highlighted

Re: Cisco ASA TA wrong sourcetype

Splunk Employee
Splunk Employee

Post a sample of some events of the raw log so we can examine them and help you with the transforms/regex.

0 Karma
Highlighted

Re: Cisco ASA TA wrong sourcetype

Communicator

sure - thanks!

May 13 15:33:57 xxxxxxxxxxxxxxxxx %ASA-6-302014: Teardown TCP connection 3360473173 for INTERNET-OUTSIDE:xx.xx.xx.xx/34802 to MD-DMZ-F5:xx.xx.xx.xx/443 duration 0:00:56 bytes 7192 TCP FINs

May 13 15:33:57 xxxxxxxxxxxxxxxxx %ASA-6-302014: Teardown TCP connection 848603646 for LAN1:xx.xx.xx.xx/48529 to LAN2:xx.xx.xx.xx/8501 duration 0:00:00 bytes 1848 TCP FINs

0 Karma
Highlighted

Re: Cisco ASA TA wrong sourcetype

Splunk Employee
Splunk Employee

Can you post your props.conf file? The sample lines you posted should match the REGEX specified. There may be something in props.conf that can offer more clues.

0 Karma
Highlighted

Re: Cisco ASA TA wrong sourcetype

Communicator

This may have been a sad assumption on my part. I copied the props.conf out of default and put it into local and only used the following with an update for the actual source of the log data

props.conf

[source::/opt/log/alllogs]
TRANSFORMS-force
sourcetypeforcisco = forcesourcetypeforciscoasa,forcesourcetypeforciscopix,forcesourcetypeforciscofwsm

0 Karma
Highlighted

Re: Cisco ASA TA wrong sourcetype

Communicator

ok - that did not come out right

I will only include the part of the default props i used

########## Global

[source::/opt/log/alllogs]
TRANSFORMS-force
sourcetypeforcisco = forcesourcetypeforciscoasa,forcesourcetypeforciscopix,forcesourcetypeforciscofwsm

########## ASA
0 Karma