I've read a couple of posts/answers here.
What I did.
created a local directory on the TA_cisco-asa app and copied eventtypes, transforms, and props. Upon checking on the config files, contrary to the answers on the posted questions here, they were already commented out by default. *the [source::udp::514]
Upon checking on the dashboards, they were looking for eventtype=cisco-firewall
checked eventtypes.conf and no cisco-firewall defined like really? why? and i thought add-ons will require minimal to no configuration already. only enabling some of the metrics.
current setup is splunk listening to 514 with the sourcetype=syslog
Unless you make any changes to the TA/app you download from splunkbase or you add some customizations, you don't need a local directory.
From the problem you explained, I believe you are looking into the dashboards in the security suite app - https://splunkbase.splunk.com/app/525/.
If you check the default/eventtypes.conf - you will see the eventtype "cisco-firewall".
Since you are getting the events with the source type "syslog", You can download the TA for cisco- ASA here.
This one transforms your source type into cisco:asa which the app is looking for.
Hello, thank you for the comment.i believe klaxdal already pinpointed my problem which is the sourcetype not being defined properly. Though you're right about the local folder since i didn't change any conf files so no need for the local
Source type should be set to manual - cisco:asa or cisco_asa ( I forget off hand which one works ) start with cisco:asa
You may also want to output the syslogs via TCP as its more reliable and configure a separate index for your Cisco products ..... see link
Yes you're right. I precreated the index with the sourcetype as syslog before the integration. :))
If i will have to populate the other dashboards in cisco suite, say for example the cisco esa or wsa, should I create another index and define a new port for logging as 514 is exclusively for asa?
Many thanks btw, i will try this by tomorrow and will accept this answer if it works
No need to create another index . I have set this up many times - outputting all my CISCO devices IPS / ASA /WSA to the same index .
They can use the same port however you want to be aware of the amount of traffic flow - which my require you to break out the traffic on various ports e.g. TCP 514 , TCP 515 etc and index to a common index to keep things straight ( my personal preference ) such as index=cisco
You should be able to simpley change the source type on your current configuration by editing the data input to reflect cisco:asa
BTW - getting the IPS data in can be a challenge due to issues with the python script and SSL - but we can cross that bridge when you get there
One can do that if your experiencing heavy traffic -depending on the number of devices reporting in - I have never had to go that route though. I will highly recommend using TCP rather than UDP though, as it is connection oriented rather than connection less - makes for eaiser troubleshooting too
hello, klaxdal. so I have already set the sourcetype as cisco:asa but this will only limit me to monitor the cisco:asa sourcetypes. I need all the cisco logs to automatically populate all the dashboards in this app.
it says their that sourcetype=syslog will automatically redefined with their respective sourcetype. thoughts?