All Apps and Add-ons

Sourcetype syslog

rb51
Explorer

hi all,

I am totally new to Splunk and almost giving up...

We have Splunk on a Windows 2008 R2 box

We are monitoring Cisco ASA firewalls and the sourcetype keeps coming tagged as "syslog" rather than "cisco:asa"

I hope an expert can point me to the right direction as I am really struggling to understand why this does not work.

Information:

  • Data Input setup as UDP 514 syslog

Apps installed/enabled:

  • Cisco Security Suite 3.0.3
  • Splunk Add-on for Cisco ASA 3.1.0

In my $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local directory I have the props.conf file as follows:

[source::tcp:514]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm

[source::udp:514]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm

[syslog]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm

########## ASA

[source::....asa]
sourcetype = cisco:asa

[cisco:asa]
SHOULD_LINEMERGE = false

########## Sample of data on Splunk

Feb 12 10:00:38 10.2.6.3 :Feb 12 10:20:21 GMT/BST: %ASA-session-4-106023: Deny tcp src EXT_INT:xx.xx.xx.xx/63613 dst PUB_DMZ_INT:xx.xx.xx.xx/25 by access-group "EXT_INT" [0x0, 0x0]
host = x.x.x.x source = udp:514 sourcetype = syslog

0 Karma

aakwah
Builder

Hello,

I think you should have the following stanza on your inputs.conf

/opt/splunk/etc/apps/Splunk_TA_cisco-asa/default/inputs.conf

[tcp://PIX_IP:514]
source = cisco:asa
sourcetype = cisco:asa
disabled = false

Regards

0 Karma

rb51
Explorer

hi aakwah

thank you for replying to my post.

we are on windows, and browsing the following path:

$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/default

There is no inputs.conf file there

Should I create one???SHould I have as many stanzas as ASA firewalls we are monitoring???

Also, should it be udp rather than tcp??? Should source be syslog rather than cisco:asa? the problem is sourcetype....

[udp://ASA1_IP:514]
source = cisco:asa
sourcetype = cisco:asa
disabled = false

[udp://ASA2_IP:514]
source = cisco:asa
sourcetype = cisco:asa
disabled = false

and so on???

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Never add or edit a file in a default directory. Put your changes in local, instead, creating a file if required.

One should use TCP rather than UDP when possible.

---
If this reply helps you, Karma would be appreciated.
0 Karma

rb51
Explorer

ric

thanks for that....

what I cannot understand is that there must be thousands of Splunk users using the Cisco Security Suite and the Add-on.....Why there is no config guide with the parameters, etc.... I could not find anywhere on the App documentation mentioning about inputs.conf

I am lost to be honest

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...