All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Add-on for Cisco ASA not transforming data from syslog to cisco:asa

idsersupport
Explorer
‎07-18-2014 10:05 AM

I can not get our splunk 6.x server with Splunk Add-on for Cisco ASA to transform the syslog data to cisco:aas for sourcetype so it will show in the Cisco Security Suite. I have the old versions (Cisco Firewall add-on) on a Splunk 5.x and they work fine, but the new Splunk 6.x does not work. Everything I see on the web points to the old Cisco Firewall add-on but not the new Splunk Add-on for Cisco ASA for Splunk 6.x. I have copied the transforms.conf and props.conf to the \Splunk\etc\apps\Splunk_TA_cisco-asa\local directory and restarted the server, but still not working. I type "splunk cmd btool props list syslog" to see if they show up, but they do not.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

idsersupport
Explorer
‎07-21-2014 09:28 AM

Fixed my issue, it was the source where the data was coming from. Since I have the data coming from a syslog server to splunk, I needed to use that as the source (syslog server). This was not an issue in the old Cisco Firewall app used in splunk 5.x.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

idsersupport
Explorer
‎07-21-2014 09:28 AM

Fixed my issue, it was the source where the data was coming from. Since I have the data coming from a syslog server to splunk, I needed to use that as the source (syslog server). This was not an issue in the old Cisco Firewall app used in splunk 5.x.

0 Karma
Reply
Solved! Jump to solution

idsersupport
Explorer
‎07-18-2014 10:32 AM

I know it is not work cause I don't see this in the syslog whey I type "splunk cmd btool props list syslog"

TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_pix,
force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_fwsm, force_sourcetyp
e_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catc
hall

I can't figure it out why?

0 Karma
Reply
Solved! Jump to solution

idsersupport
Explorer
‎07-18-2014 10:18 AM

Where is the macros.conf? Would this be for Splunk or the Splunk_TA_cisco-asa app?

0 Karma
Reply
Solved! Jump to solution

tmarlette
Motivator
‎07-18-2014 10:14 AM

have you checked to make sure that the 'macros.conf' is doing things properly to your sourcetypes?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...