Professional Services set up our Splunk and has it set up to where it pulls in the Cisco ASA data. The device feeds data into the Splunk Add-on for Cisco ASA but I would like to filter the data before it gets there since I don't need all of the logs coming from the device. How would I go about filtering these logs to not be indexed?
Hello @jeremeek - Is your question also in reference to the Splunk Add-on for Cisco ASA? https://splunkbase.splunk.com/app/1620/
If yes, please let me know so I can make sure that add-on is tagged to your post. Thank you.
The device does feed data into the splunk add-on but i want to filter the data before it gets there. I've been able to do it with (example) specific windows event logs but i want to do the same with the cisco asa logs.
Got it. I just updated your post to include the add-on tag and to incorporate some of the information you left in your comment. Thanks!
If you're looking to filter on specific events, you'll want to use a whitelist or a blacklist in your inputs.conf file in the app on your deployment server. Found here:
Are you forwarding the data directly from the device or is it going through a syslog server?
You'll need to utilize this on either a heavy forwarder or your indexers. Universal forwarders can whitelist/blacklist files, but not the individual events within the file.