I've read a couple of posts/answers here.
What I did.
created a local directory on the TA_cisco-asa app and copied eventtypes, transforms, and props. Upon checking on the config files, contrary to the answers on the posted questions here, they were already commented out by default. *the [source::udp::514]
Upon checking on the dashboards, they were looking for eventtype=cisco-firewall
checked eventtypes.conf and no cisco-firewall defined like really? why? and i thought add-ons will require minimal to no configuration already. only enabling some of the metrics.
current setup is splunk listening to 514 with the sourcetype=syslog
Source type should be set to manual - cisco:asa or cisco_asa ( I forget off hand which one works ) start with cisco:asa
You may also want to output the syslogs via TCP as its more reliable and configure a separate index for your Cisco products ..... see link
Yes you're right. I precreated the index with the sourcetype as syslog before the integration. :))
If i will have to populate the other dashboards in cisco suite, say for example the cisco esa or wsa, should I create another index and define a new port for logging as 514 is exclusively for asa?
Many thanks btw, i will try this by tomorrow and will accept this answer if it works
No need to create another index . I have set this up many times - outputting all my CISCO devices IPS / ASA /WSA to the same index .
They can use the same port however you want to be aware of the amount of traffic flow - which my require you to break out the traffic on various ports e.g. TCP 514 , TCP 515 etc and index to a common index to keep things straight ( my personal preference ) such as index=cisco
You should be able to simpley change the source type on your current configuration by editing the data input to reflect cisco:asa
BTW - getting the IPS data in can be a challenge due to issues with the python script and SSL - but we can cross that bridge when you get there
One can do that if your experiencing heavy traffic -depending on the number of devices reporting in - I have never had to go that route though. I will highly recommend using TCP rather than UDP though, as it is connection oriented rather than connection less - makes for eaiser troubleshooting too
hello, klaxdal. so I have already set the sourcetype as cisco:asa but this will only limit me to monitor the cisco:asa sourcetypes. I need all the cisco logs to automatically populate all the dashboards in this app.
it says their that sourcetype=syslog will automatically redefined with their respective sourcetype. thoughts?
Have you installed the other TAs required for the APP and additional source types ?
I have never has to specify anything other than CISCO:ASA and the index in the UDP data setup .
Unless you make any changes to the TA/app you download from splunkbase or you add some customizations, you don't need a local directory.
From the problem you explained, I believe you are looking into the dashboards in the security suite app - https://splunkbase.splunk.com/app/525/.
If you check the default/eventtypes.conf - you will see the eventtype "cisco-firewall".
Since you are getting the events with the source type "syslog", You can download the TA for cisco- ASA here.
This one transforms your source type into cisco:asa which the app is looking for.