All Apps and Add-ons

Splunk Add-on for Cisco ASA not transforming data from syslog to cisco:asa

idsersupport
Explorer

I can not get our splunk 6.x server with Splunk Add-on for Cisco ASA to transform the syslog data to cisco:aas for sourcetype so it will show in the Cisco Security Suite. I have the old versions (Cisco Firewall add-on) on a Splunk 5.x and they work fine, but the new Splunk 6.x does not work. Everything I see on the web points to the old Cisco Firewall add-on but not the new Splunk Add-on for Cisco ASA for Splunk 6.x. I have copied the transforms.conf and props.conf to the \Splunk\etc\apps\Splunk_TA_cisco-asa\local directory and restarted the server, but still not working. I type "splunk cmd btool props list syslog" to see if they show up, but they do not.

0 Karma
1 Solution

idsersupport
Explorer

Fixed my issue, it was the source where the data was coming from. Since I have the data coming from a syslog server to splunk, I needed to use that as the source (syslog server). This was not an issue in the old Cisco Firewall app used in splunk 5.x.

View solution in original post

0 Karma

idsersupport
Explorer

Fixed my issue, it was the source where the data was coming from. Since I have the data coming from a syslog server to splunk, I needed to use that as the source (syslog server). This was not an issue in the old Cisco Firewall app used in splunk 5.x.

View solution in original post

0 Karma

idsersupport
Explorer

I know it is not work cause I don't see this in the syslog whey I type "splunk cmd btool props list syslog"

TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_pix,
force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_fwsm, force_sourcetyp
e_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catc
hall

I can't figure it out why?

0 Karma

idsersupport
Explorer

Where is the macros.conf? Would this be for Splunk or the Splunk_TA_cisco-asa app?

0 Karma

tmarlette
Motivator

have you checked to make sure that the 'macros.conf' is doing things properly to your sourcetypes?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!