All Apps and Add-ons

Sourcetype syslog

rb51
Explorer

hi all,

I am totally new to Splunk and almost giving up...

We have Splunk on a Windows 2008 R2 box

We are monitoring Cisco ASA firewalls and the sourcetype keeps coming tagged as "syslog" rather than "cisco:asa"

I hope an expert can point me to the right direction as I am really struggling to understand why this does not work.

Information:

  • Data Input setup as UDP 514 syslog

Apps installed/enabled:

  • Cisco Security Suite 3.0.3
  • Splunk Add-on for Cisco ASA 3.1.0

In my $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local directory I have the props.conf file as follows:

[source::tcp:514]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm

[source::udp:514]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm

[syslog]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm

########## ASA

[source::....asa]
sourcetype = cisco:asa

[cisco:asa]
SHOULD_LINEMERGE = false

########## Sample of data on Splunk

Feb 12 10:00:38 10.2.6.3 :Feb 12 10:20:21 GMT/BST: %ASA-session-4-106023: Deny tcp src EXT_INT:xx.xx.xx.xx/63613 dst PUB_DMZ_INT:xx.xx.xx.xx/25 by access-group "EXT_INT" [0x0, 0x0]
host = x.x.x.x source = udp:514 sourcetype = syslog

0 Karma

aakwah
Builder

Hello,

I think you should have the following stanza on your inputs.conf

/opt/splunk/etc/apps/Splunk_TA_cisco-asa/default/inputs.conf

[tcp://PIX_IP:514]
source = cisco:asa
sourcetype = cisco:asa
disabled = false

Regards

0 Karma

rb51
Explorer

hi aakwah

thank you for replying to my post.

we are on windows, and browsing the following path:

$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/default

There is no inputs.conf file there

Should I create one???SHould I have as many stanzas as ASA firewalls we are monitoring???

Also, should it be udp rather than tcp??? Should source be syslog rather than cisco:asa? the problem is sourcetype....

[udp://ASA1_IP:514]
source = cisco:asa
sourcetype = cisco:asa
disabled = false

[udp://ASA2_IP:514]
source = cisco:asa
sourcetype = cisco:asa
disabled = false

and so on???

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Never add or edit a file in a default directory. Put your changes in local, instead, creating a file if required.

One should use TCP rather than UDP when possible.

---
If this reply helps you, Karma would be appreciated.
0 Karma

rb51
Explorer

ric

thanks for that....

what I cannot understand is that there must be thousands of Splunk users using the Cisco Security Suite and the Add-on.....Why there is no config guide with the parameters, etc.... I could not find anywhere on the App documentation mentioning about inputs.conf

I am lost to be honest

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...