Combining ASA/FWSM Field Extractions App with Splu...

ddelange · ‎06-22-2011

Hi All,

The Splunk for Cisco Firewalls app doesn't seem to extract fields from all different Cisco FWSM syslog types (e.g. %FWSM-4-106100). Searching the knowledge base I found the Cisco ASA/FWSM Field extractions app made by user dps. I can see the props.conf file has got the right extractions. I'm trying to get these extractions into the Splunk for Cisco Firewalls app as I don't want to rename my sourcetype again. Anyone an idea if this will work and what should be the right way to establish this?

Thanks in advance!

/daniel

swaminathan · ‎10-26-2011

Guess Should work via Aliasing - Below Notes from Cisco Spunk SIEM Doc

The Cisco App add-on will rename the sourcetype of your firewall events to cisco_firewall. If you have previously added Cisco Firewall data as a data source and would like to preserve the current sourcetype for reporting purposes, you can create an alias in the local directory of this app.

Create a sourcetype alias, add the following entry to props.conf under the
local directory of this app ($SPLUNK_HOME/etc/apps/cisco_firewall_addon/local):

[cisco_firewall] rename = your_current_firewall_sourcetype

Combining ASA/FWSM Field Extractions App with Splunk for Cisco Firewalls App

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

Combining ASA/FWSM Field Extractions App with Splunk for Cisco Firewalls App

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR