All Apps and Add-ons

How to filter certain Cisco ASA device logs to not be indexed?

Explorer

Professional Services set up our Splunk and has it set up to where it pulls in the Cisco ASA data. The device feeds data into the Splunk Add-on for Cisco ASA but I would like to filter the data before it gets there since I don't need all of the logs coming from the device. How would I go about filtering these logs to not be indexed?

0 Karma
1 Solution

Contributor

If you're looking to filter on specific events, you'll want to use a whitelist or a blacklist in your inputs.conf file in the app on your deployment server. Found here:

http://docs.splunk.com/Documentation/Splunk/6.3.2/Data/Whitelistorblacklistspecificincomingdata

View solution in original post

Splunk Employee
Splunk Employee

See this post: https://answers.splunk.com/answers/96/how-do-i-exclude-some-events-from-being-indexed-by-splunk.html

========

You'll need to utilize this on either a heavy forwarder or your indexers. Universal forwarders can whitelist/blacklist files, but not the individual events within the file.

0 Karma

Contributor

If you're looking to filter on specific events, you'll want to use a whitelist or a blacklist in your inputs.conf file in the app on your deployment server. Found here:

http://docs.splunk.com/Documentation/Splunk/6.3.2/Data/Whitelistorblacklistspecificincomingdata

View solution in original post

Explorer

That's what I would have thought but there is no inputs.conf in the cisco:asa app folder

0 Karma

Contributor

Are you forwarding the data directly from the device or is it going through a syslog server?

0 Karma

Explorer

It's forwarding it's data to the splunk indexer directly from the device

0 Karma

Contributor

Alright then try using props.conf and transforms.conf. This post might help: https://answers.splunk.com/answers/39916/need-help-filtering-cisco-asa-logs-at-index-time.html

Splunk Employee
Splunk Employee

Hello @jeremeek - Is your question also in reference to the Splunk Add-on for Cisco ASA? https://splunkbase.splunk.com/app/1620/

If yes, please let me know so I can make sure that add-on is tagged to your post. Thank you.

0 Karma

Explorer

The device does feed data into the splunk add-on but i want to filter the data before it gets there. I've been able to do it with (example) specific windows event logs but i want to do the same with the cisco asa logs.

0 Karma

Splunk Employee
Splunk Employee

Got it. I just updated your post to include the add-on tag and to incorporate some of the information you left in your comment. Thanks!

0 Karma