All Apps and Add-ons

How to filter certain Cisco ASA device logs to not be indexed?

jeremeek
Explorer

Professional Services set up our Splunk and has it set up to where it pulls in the Cisco ASA data. The device feeds data into the Splunk Add-on for Cisco ASA but I would like to filter the data before it gets there since I don't need all of the logs coming from the device. How would I go about filtering these logs to not be indexed?

0 Karma
1 Solution

adayton20
Contributor

If you're looking to filter on specific events, you'll want to use a whitelist or a blacklist in your inputs.conf file in the app on your deployment server. Found here:

http://docs.splunk.com/Documentation/Splunk/6.3.2/Data/Whitelistorblacklistspecificincomingdata

View solution in original post

michaelnorup
Path Finder

Hi @jeremeek 

I have an issue where out ASA's are filling out our license, so i would like to filter some of the data away.
I found your post here, and im hoping you are still active.

What data did you decide to filter out?

0 Karma

tlelle_splunk
Splunk Employee
Splunk Employee

See this post: https://answers.splunk.com/answers/96/how-do-i-exclude-some-events-from-being-indexed-by-splunk.html

========

You'll need to utilize this on either a heavy forwarder or your indexers. Universal forwarders can whitelist/blacklist files, but not the individual events within the file.

0 Karma

adayton20
Contributor

If you're looking to filter on specific events, you'll want to use a whitelist or a blacklist in your inputs.conf file in the app on your deployment server. Found here:

http://docs.splunk.com/Documentation/Splunk/6.3.2/Data/Whitelistorblacklistspecificincomingdata

jeremeek
Explorer

That's what I would have thought but there is no inputs.conf in the cisco:asa app folder

0 Karma

adayton20
Contributor

Are you forwarding the data directly from the device or is it going through a syslog server?

0 Karma

jeremeek
Explorer

It's forwarding it's data to the splunk indexer directly from the device

0 Karma

adayton20
Contributor

Alright then try using props.conf and transforms.conf. This post might help: https://answers.splunk.com/answers/39916/need-help-filtering-cisco-asa-logs-at-index-time.html

aaraneta_splunk
Splunk Employee
Splunk Employee

Hello @jeremeek - Is your question also in reference to the Splunk Add-on for Cisco ASA? https://splunkbase.splunk.com/app/1620/

If yes, please let me know so I can make sure that add-on is tagged to your post. Thank you.

0 Karma

jeremeek
Explorer

The device does feed data into the splunk add-on but i want to filter the data before it gets there. I've been able to do it with (example) specific windows event logs but i want to do the same with the cisco asa logs.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

Got it. I just updated your post to include the add-on tag and to incorporate some of the information you left in your comment. Thanks!

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>