All Apps and Add-ons

Splunk Add-on for Cisco ASA: Why is the Syslog server used as the host name, not the ASA Device Name? How do I fix this?

Communicator

I currently have Splunk 6.2.3 running, and successfully receiving data for ASA's and ISE via the Cisco Security Suite (latest) with add-ons for each as required (also latest).

The issue I have is that while my ASA host-names appear inside of the logs themselves, reporting shows them all under one host in CSS, that host-name being my syslog server.

Here is an example of a raw log from syslog:

Jul  6 15:21:35 myasa1 %ASA-6-302020: Built outbound ICMP connection for faddr 192.168.1.112/0 gaddr 10.10.10.11/3244 laddr 10.10.10.11/3244

My syslog server is running a Universal Forwarder. Its inputs.conf looks like this:

[monitor:///syslog-data/asa-fw.log]
source=syslog
sourcetype=cisco:asa
host =

I am unable to place each ASA's logs into a separate file, so I am hoping for some other solution.
My ESA data, which did not contain my Ironport host-names, was separated into separate files, based on host-name, but I cannot do that here.

BTW, my individual ASA hosts are showing up as "dvc", but this field is not in use for my reporting, and I really do not want to rewrite all of the great reports that CSS provides.

Thanks in advance,

-mi

0 Karma