All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sourcetype syslog

rb51
Explorer
‎02-12-2015 03:03 AM

hi all,

I am totally new to Splunk and almost giving up...

We have Splunk on a Windows 2008 R2 box

We are monitoring Cisco ASA firewalls and the sourcetype keeps coming tagged as "syslog" rather than "cisco:asa"

I hope an expert can point me to the right direction as I am really struggling to understand why this does not work.

Information:

  • Data Input setup as UDP 514 syslog

Apps installed/enabled:

  • Cisco Security Suite 3.0.3
  • Splunk Add-on for Cisco ASA 3.1.0

In my $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local directory I have the props.conf file as follows:

[source::tcp:514]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm

[source::udp:514]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm

[syslog]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm

########## ASA

[source::....asa]
sourcetype = cisco:asa

[cisco:asa]
SHOULD_LINEMERGE = false

########## Sample of data on Splunk

Feb 12 10:00:38 10.2.6.3 :Feb 12 10:20:21 GMT/BST: %ASA-session-4-106023: Deny tcp src EXT_INT:xx.xx.xx.xx/63613 dst PUB_DMZ_INT:xx.xx.xx.xx/25 by access-group "EXT_INT" [0x0, 0x0]
host = x.x.x.x source = udp:514 sourcetype = syslog

0 Karma
Reply

aakwah
Builder
‎02-12-2015 07:55 AM

Hello,

I think you should have the following stanza on your inputs.conf

/opt/splunk/etc/apps/Splunk_TA_cisco-asa/default/inputs.conf

[tcp://PIX_IP:514]
source = cisco:asa
sourcetype = cisco:asa
disabled = false

Regards

0 Karma
Reply

rb51
Explorer
‎02-12-2015 08:11 AM

hi aakwah

thank you for replying to my post.

we are on windows, and browsing the following path:

$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/default

There is no inputs.conf file there

Should I create one???SHould I have as many stanzas as ASA firewalls we are monitoring???

Also, should it be udp rather than tcp??? Should source be syslog rather than cisco:asa? the problem is sourcetype....

[udp://ASA1_IP:514]
source = cisco:asa
sourcetype = cisco:asa
disabled = false

[udp://ASA2_IP:514]
source = cisco:asa
sourcetype = cisco:asa
disabled = false

and so on???

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-12-2015 08:21 AM

Never add or edit a file in a default directory. Put your changes in local, instead, creating a file if required.

One should use TCP rather than UDP when possible.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

rb51
Explorer
‎02-12-2015 08:24 AM

ric

thanks for that....

what I cannot understand is that there must be thousands of Splunk users using the Cisco Security Suite and the Add-on.....Why there is no config guide with the parameters, etc.... I could not find anywhere on the App documentation mentioning about inputs.conf

I am lost to be honest

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...