Do Cisco ASA NGFWs aka X-series and firepower series sending logs to FMC and collecting via estreamer provide equal or greater logging within Splunk over syslog from the ASA?
Meaning everything event visible in syslog can be seen in the estreamer feed in some way.
One of the other concerning issues is the size of the events syslog is 200bytes/event while estreamer is 2000bytes for connection events.
Thx. I sort of figured that was the question, but wanted to make sure.
I'm not an expert, and my memory might be foggy, but IIRC the new firewalls we deployed at $job-1 we still collected both data - there were some pieces of estreamer that weren't there even though generally it's a better, higher quality data stream.
I've love to reinvestigate - as I was leaving there we were finally getting the rest of the new FW infrastructure into place, so we'd have ISE, AMP, all NGFWs and a lot of other things. I may ping some folks back there to find out how that went, or maybe give them a hand getting it sorted out.