All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Sourcetype syslog

rb51
Explorer
‎02-12-2015 03:03 AM

hi all,

I am totally new to Splunk and almost giving up...

We have Splunk on a Windows 2008 R2 box

We are monitoring Cisco ASA firewalls and the sourcetype keeps coming tagged as "syslog" rather than "cisco:asa"

I hope an expert can point me to the right direction as I am really struggling to understand why this does not work.

Information:

  • Data Input setup as UDP 514 syslog

Apps installed/enabled:

  • Cisco Security Suite 3.0.3
  • Splunk Add-on for Cisco ASA 3.1.0

In my $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local directory I have the props.conf file as follows:

[source::tcp:514]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm

[source::udp:514]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm

[syslog]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm

########## ASA

[source::....asa]
sourcetype = cisco:asa

[cisco:asa]
SHOULD_LINEMERGE = false

########## Sample of data on Splunk

Feb 12 10:00:38 10.2.6.3 :Feb 12 10:20:21 GMT/BST: %ASA-session-4-106023: Deny tcp src EXT_INT:xx.xx.xx.xx/63613 dst PUB_DMZ_INT:xx.xx.xx.xx/25 by access-group "EXT_INT" [0x0, 0x0]
host = x.x.x.x source = udp:514 sourcetype = syslog

0 Karma
Reply

aakwah
Builder
‎02-12-2015 07:55 AM

Hello,

I think you should have the following stanza on your inputs.conf

/opt/splunk/etc/apps/Splunk_TA_cisco-asa/default/inputs.conf

[tcp://PIX_IP:514]
source = cisco:asa
sourcetype = cisco:asa
disabled = false

Regards

0 Karma
Reply

rb51
Explorer
‎02-12-2015 08:11 AM

hi aakwah

thank you for replying to my post.

we are on windows, and browsing the following path:

$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/default

There is no inputs.conf file there

Should I create one???SHould I have as many stanzas as ASA firewalls we are monitoring???

Also, should it be udp rather than tcp??? Should source be syslog rather than cisco:asa? the problem is sourcetype....

[udp://ASA1_IP:514]
source = cisco:asa
sourcetype = cisco:asa
disabled = false

[udp://ASA2_IP:514]
source = cisco:asa
sourcetype = cisco:asa
disabled = false

and so on???

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-12-2015 08:21 AM

Never add or edit a file in a default directory. Put your changes in local, instead, creating a file if required.

One should use TCP rather than UDP when possible.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

rb51
Explorer
‎02-12-2015 08:24 AM

ric

thanks for that....

what I cannot understand is that there must be thousands of Splunk users using the Cisco Security Suite and the Add-on.....Why there is no config guide with the parameters, etc.... I could not find anywhere on the App documentation mentioning about inputs.conf

I am lost to be honest

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...