Solved: Re: How to filter certain Cisco ASA device logs to...

jeremeek · ‎10-03-2016

Professional Services set up our Splunk and has it set up to where it pulls in the Cisco ASA data. The device feeds data into the Splunk Add-on for Cisco ASA but I would like to filter the data before it gets there since I don't need all of the logs coming from the device. How would I go about filtering these logs to not be indexed?

adayton20 · ‎10-03-2016

If you're looking to filter on specific events, you'll want to use a whitelist or a blacklist in your inputs.conf file in the app on your deployment server. Found here:

http://docs.splunk.com/Documentation/Splunk/6.3.2/Data/Whitelistorblacklistspecificincomingdata

View solution in original post

michaelnorup · ‎11-23-2021

Hi @jeremeek

I have an issue where out ASA's are filling out our license, so i would like to filter some of the data away.
I found your post here, and im hoping you are still active.

What data did you decide to filter out?

tlelle_splunk · ‎10-04-2016

See this post: https://answers.splunk.com/answers/96/how-do-i-exclude-some-events-from-being-indexed-by-splunk.html

========

You'll need to utilize this on either a heavy forwarder or your indexers. Universal forwarders can whitelist/blacklist files, but not the individual events within the file.

adayton20 · ‎10-03-2016

If you're looking to filter on specific events, you'll want to use a whitelist or a blacklist in your inputs.conf file in the app on your deployment server. Found here:

http://docs.splunk.com/Documentation/Splunk/6.3.2/Data/Whitelistorblacklistspecificincomingdata

jeremeek · ‎10-04-2016

That's what I would have thought but there is no inputs.conf in the cisco:asa app folder

adayton20 · ‎10-04-2016

Are you forwarding the data directly from the device or is it going through a syslog server?

jeremeek · ‎10-04-2016

It's forwarding it's data to the splunk indexer directly from the device

adayton20 · ‎10-04-2016

Alright then try using props.conf and transforms.conf. This post might help: https://answers.splunk.com/answers/39916/need-help-filtering-cisco-asa-logs-at-index-time.html

aaraneta_splunk · ‎10-03-2016

Hello @jeremeek - Is your question also in reference to the Splunk Add-on for Cisco ASA? https://splunkbase.splunk.com/app/1620/

If yes, please let me know so I can make sure that add-on is tagged to your post. Thank you.

jeremeek · ‎10-03-2016

The device does feed data into the splunk add-on but i want to filter the data before it gets there. I've been able to do it with (example) specific windows event logs but i want to do the same with the cisco asa logs.

aaraneta_splunk · ‎10-03-2016

Got it. I just updated your post to include the add-on tag and to incorporate some of the information you left in your comment. Thanks!

How to filter certain Cisco ASA device logs to not be indexed?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!