I currently have Splunk 6.2.3 running, and successfully receiving data for ASA's and ISE via the Cisco Security Suite (latest) with add-ons for each as required (also latest).
The issue I have is that while my ASA host-names appear inside of the logs themselves, reporting shows them all under one host in CSS, that host-name being my syslog server.
Here is an example of a raw log from syslog:
Jul 6 15:21:35 myasa1 %ASA-6-302020: Built outbound ICMP connection for faddr 192.168.1.112/0 gaddr 10.10.10.11/3244 laddr 10.10.10.11/3244
My syslog server is running a Universal Forwarder. Its inputs.conf looks like this:
[monitor:///syslog-data/asa-fw.log]
source=syslog
sourcetype=cisco:asa
host =
I am unable to place each ASA's logs into a separate file, so I am hoping for some other solution.
My ESA data, which did not contain my Ironport host-names, was separated into separate files, based on host-name, but I cannot do that here.
BTW, my individual ASA hosts are showing up as "dvc", but this field is not in use for my reporting, and I really do not want to rewrite all of the great reports that CSS provides.
Thanks in advance,
-mi