All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Estreamer vs syslog from ASA firewalls

kevinmanson
Explorer
‎04-27-2018 01:42 PM

Do Cisco ASA NGFWs aka X-series and firepower series sending logs to FMC and collecting via estreamer provide equal or greater logging within Splunk over syslog from the ASA?

Meaning everything event visible in syslog can be seen in the estreamer feed in some way.

One of the other concerning issues is the size of the events syslog is 200bytes/event while estreamer is 2000bytes for connection events.

0 Karma
Reply

koshyk
Super Champion
‎05-02-2018 01:30 AM

hi Kevin,
I've put a screenshot here. Also put into github with details. Please note, this is from my experience and may have changed

alt text

Preview file
259 KB
0 Karma
Reply

koshyk
Super Champion
‎04-30-2018 09:25 AM

I've a table comparing syslog vs estreamer options. But not sure if I can paste that into splunk answers. Let me try finding a place I can put it or a screenshot

0 Karma
Reply

kevinmanson
Explorer
‎05-01-2018 05:54 AM

Koshyk,

Any luck on being able to send over that table?

0 Karma
Reply

koshyk
Super Champion
‎05-02-2018 06:17 AM

i've attached below

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎04-28-2018 02:54 PM

Hi, kevinmanson,

Is there a question here that needs answering?

Reply

kevinmanson
Explorer
‎04-30-2018 07:42 AM

Reformatted sentence into question.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎05-01-2018 06:07 AM

Thx. I sort of figured that was the question, but wanted to make sure.

I'm not an expert, and my memory might be foggy, but IIRC the new firewalls we deployed at $job-1 we still collected both data - there were some pieces of estreamer that weren't there even though generally it's a better, higher quality data stream.

I've love to reinvestigate - as I was leaving there we were finally getting the rest of the new FW infrastructure into place, so we'd have ISE, AMP, all NGFWs and a lot of other things. I may ping some folks back there to find out how that went, or maybe give them a hand getting it sorted out.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...