Just updated to the newest version of the Cisco Security Suite, I have the IPS and Firewall Add-Ons configured. However on the main page, shows me a map (using google maps which is working properly and below those is a bar graph for Cisco Security Events, however the only Cisco Security Events showing are "Cisco_ips" and "Cisco_syslog_types"m yet if I manually go to searches, and search for "eventtype=*" I see "cisco_firewall", so the events are there, they are just not showing up on the "Splunk for Cisco Security" summary page.
Any thoughts?
Yep this fixed it:
Just set the sourcetype to cisco_asa under the UDP port listening for Syslog messages and that just might have done it.
Yep this fixed it:
Just set the sourcetype to cisco_asa under the UDP port listening for Syslog messages and that just might have done it.
Also, see here for more info: for some reason they changed the default transforms.conf file in 2.0 so it's not properly source typing any more:
Be sure to follow the directions given -- do not edit the default/transforms.conf -- instead, add your own transforms.conf in local and add the corrected stanza.
Yep this fixed it.
Just set the sourcetype to cisco_asa under the UDP port listening for Syslog messages and that just might have done it.