Professional Services set up our Splunk and has it set up to where it pulls in the Cisco ASA data. The device feeds data into the Splunk Add-on for Cisco ASA but I would like to filter the data before it gets there since I don't need all of the logs coming from the device. How would I go about filtering these logs to not be indexed?
If you're looking to filter on specific events, you'll want to use a whitelist or a blacklist in your inputs.conf file in the app on your deployment server. Found here:
http://docs.splunk.com/Documentation/Splunk/6.3.2/Data/Whitelistorblacklistspecificincomingdata
Hi @jeremeek
I have an issue where out ASA's are filling out our license, so i would like to filter some of the data away.
I found your post here, and im hoping you are still active.
What data did you decide to filter out?
See this post: https://answers.splunk.com/answers/96/how-do-i-exclude-some-events-from-being-indexed-by-splunk.html
========
You'll need to utilize this on either a heavy forwarder or your indexers. Universal forwarders can whitelist/blacklist files, but not the individual events within the file.
If you're looking to filter on specific events, you'll want to use a whitelist or a blacklist in your inputs.conf file in the app on your deployment server. Found here:
http://docs.splunk.com/Documentation/Splunk/6.3.2/Data/Whitelistorblacklistspecificincomingdata
That's what I would have thought but there is no inputs.conf in the cisco:asa app folder
Are you forwarding the data directly from the device or is it going through a syslog server?
It's forwarding it's data to the splunk indexer directly from the device
Alright then try using props.conf and transforms.conf. This post might help: https://answers.splunk.com/answers/39916/need-help-filtering-cisco-asa-logs-at-index-time.html
Hello @jeremeek - Is your question also in reference to the Splunk Add-on for Cisco ASA? https://splunkbase.splunk.com/app/1620/
If yes, please let me know so I can make sure that add-on is tagged to your post. Thank you.
The device does feed data into the splunk add-on but i want to filter the data before it gets there. I've been able to do it with (example) specific windows event logs but i want to do the same with the cisco asa logs.
Got it. I just updated your post to include the add-on tag and to incorporate some of the information you left in your comment. Thanks!