All Apps and Add-ons

Cisco ASA as sourcetype, now syslog as sourcetype

rb51
Explorer

hi all,

totally new to Splunk

We used to get data with sourcetype = cisco:asa which was easy to configure queries and reports (as there were loads of fields to choose from)

the type of queries I used to run were like:
sourcetype="cisco:asa" action="blocked"| sort -Count

eventtype="cisco-firewall" message_id=111010 | eval my_time=_time | convert timeformat="%d-%m-%Y %H:%M:%S" ctime(my_time) |table my_time,host, msg | rename my_time as "Timestamp" | rename msg as "Syslog Message" | rename host as "Source"

sourcetype="cisco:asa" action="blocked" | stats count as Count by dest_port | rename dest_port as "Destination Port" | sort -Count

Now all the asa data are coming on sourcetype = syslog and therefore I cannot find a way to query and create reports (just 4 or 5 fields available)

Can anyone help?

Tags (2)
0 Karma
1 Solution

adauria_splunk
Splunk Employee
Splunk Employee

If it's only cisco:asa coming in on UDP 514, simply change the line in the inputs.conf to sourcetype=cisco:asa.

The better way to do this, however, is to run a syslog server separate from Splunk (e.g. rsyslog or syslog-ng). Configure this server to receive all the syslog and write it out to local disk. When it writes it, it should use the IP or DNS name of the sending device as the directory name to which it writes the events. Then you can use a Splunk monitor (file) input (using a Universal Forwarder if not doing this on the Splunk server) to pick up the file. You can configure the host_segment parameter to pick up the "host" value from the path to the file (e.g. /var/syslog/host1 /var/syslog/host2 would pick up the 3rd segment of the path).

If you have a mixed stream of syslog (i.e. not just ASA), and you can't or won't run a separate syslog collector outside of the Splunk server itself, you would have to accept the data as syslog and then assign sourcetype based on source or other properties with the correct sourcetypes. Take a look here:
http://blogs.splunk.com/2010/02/11/sourcetypes-gone-wild/

Hope this helps!
-Andrew

View solution in original post

swasserroth
Path Finder

Could you check if you have installed the app "SA-cisco-asa"? If yes, then try to disable it, IF your version of the Cisco Security Suite is 3.1.0 (the newest one). I suspect some interferences between the older SA and the newer version of the Security Suite...

Regards,
Stephan

0 Karma

swasserroth
Path Finder

Maybe you should check your installed applications: the Cisco Security Suite seems to have changed a bit, de-activate SA-cisco-ASA (if installed) and install Splunk Add-on for Cisco ASA (Splunk_TA_cisco-asa). That may fix the sourcetype problems...
Regards,
Stephan

0 Karma

adauria_splunk
Splunk Employee
Splunk Employee

If it's only cisco:asa coming in on UDP 514, simply change the line in the inputs.conf to sourcetype=cisco:asa.

The better way to do this, however, is to run a syslog server separate from Splunk (e.g. rsyslog or syslog-ng). Configure this server to receive all the syslog and write it out to local disk. When it writes it, it should use the IP or DNS name of the sending device as the directory name to which it writes the events. Then you can use a Splunk monitor (file) input (using a Universal Forwarder if not doing this on the Splunk server) to pick up the file. You can configure the host_segment parameter to pick up the "host" value from the path to the file (e.g. /var/syslog/host1 /var/syslog/host2 would pick up the 3rd segment of the path).

If you have a mixed stream of syslog (i.e. not just ASA), and you can't or won't run a separate syslog collector outside of the Splunk server itself, you would have to accept the data as syslog and then assign sourcetype based on source or other properties with the correct sourcetypes. Take a look here:
http://blogs.splunk.com/2010/02/11/sourcetypes-gone-wild/

Hope this helps!
-Andrew

adauria_splunk
Splunk Employee
Splunk Employee

I'll just add that none of what I said explains WHY this sourcetype changed on you. It's possible you installed another app that did this, or perhaps another user made some change to the input... Sourcetypes don't generally change on their own for a given input, so there is SOME explanation, but I don't know what it is or how to figure out the mystery unless you've got file integrity monitoring on the system or something.

0 Karma

rb51
Explorer

on \Splunk\etc\apps\Splunk_CiscoSecuritySuite\local the inputs.conf file is:

[udp://514]
connection_host = ip
index = main
sourcetype = syslog

The true is that we have not made any changes.

0 Karma

adauria_splunk
Splunk Employee
Splunk Employee

Generally sourcetype is assigned at index time and defined in your input. You can look at the input under settings - inputs or in whichever inputs.conf file defines this input. Sourcetype will be an option in gui or a parameter in the conf file.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...