All Apps and Add-ons

Splunk Add-on for Cisco ASA: Why is the Syslog server used as the host name, not the ASA Device Name? How do I fix this?


I currently have Splunk 6.2.3 running, and successfully receiving data for ASA's and ISE via the Cisco Security Suite (latest) with add-ons for each as required (also latest).

The issue I have is that while my ASA host-names appear inside of the logs themselves, reporting shows them all under one host in CSS, that host-name being my syslog server.

Here is an example of a raw log from syslog:

Jul  6 15:21:35 myasa1 %ASA-6-302020: Built outbound ICMP connection for faddr gaddr laddr

My syslog server is running a Universal Forwarder. Its inputs.conf looks like this:

host =

I am unable to place each ASA's logs into a separate file, so I am hoping for some other solution.
My ESA data, which did not contain my Ironport host-names, was separated into separate files, based on host-name, but I cannot do that here.

BTW, my individual ASA hosts are showing up as "dvc", but this field is not in use for my reporting, and I really do not want to rewrite all of the great reports that CSS provides.

Thanks in advance,


0 Karma