All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Add-on for Cisco ASA not transforming data from syslog to cisco:asa

idsersupport
Explorer
‎07-18-2014 10:05 AM

I can not get our splunk 6.x server with Splunk Add-on for Cisco ASA to transform the syslog data to cisco:aas for sourcetype so it will show in the Cisco Security Suite. I have the old versions (Cisco Firewall add-on) on a Splunk 5.x and they work fine, but the new Splunk 6.x does not work. Everything I see on the web points to the old Cisco Firewall add-on but not the new Splunk Add-on for Cisco ASA for Splunk 6.x. I have copied the transforms.conf and props.conf to the \Splunk\etc\apps\Splunk_TA_cisco-asa\local directory and restarted the server, but still not working. I type "splunk cmd btool props list syslog" to see if they show up, but they do not.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

idsersupport
Explorer
‎07-21-2014 09:28 AM

Fixed my issue, it was the source where the data was coming from. Since I have the data coming from a syslog server to splunk, I needed to use that as the source (syslog server). This was not an issue in the old Cisco Firewall app used in splunk 5.x.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

idsersupport
Explorer
‎07-21-2014 09:28 AM

Fixed my issue, it was the source where the data was coming from. Since I have the data coming from a syslog server to splunk, I needed to use that as the source (syslog server). This was not an issue in the old Cisco Firewall app used in splunk 5.x.

0 Karma
Reply
Solved! Jump to solution

idsersupport
Explorer
‎07-18-2014 10:32 AM

I know it is not work cause I don't see this in the syslog whey I type "splunk cmd btool props list syslog"

TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_pix,
force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_fwsm, force_sourcetyp
e_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catc
hall

I can't figure it out why?

0 Karma
Reply
Solved! Jump to solution

idsersupport
Explorer
‎07-18-2014 10:18 AM

Where is the macros.conf? Would this be for Splunk or the Splunk_TA_cisco-asa app?

0 Karma
Reply
Solved! Jump to solution

tmarlette
Motivator
‎07-18-2014 10:14 AM

have you checked to make sure that the 'macros.conf' is doing things properly to your sourcetypes?

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...