I can not get our splunk 6.x server with Splunk Add-on for Cisco ASA to transform the syslog data to cisco:aas for sourcetype so it will show in the Cisco Security Suite. I have the old versions (Cisco Firewall add-on) on a Splunk 5.x and they work fine, but the new Splunk 6.x does not work. Everything I see on the web points to the old Cisco Firewall add-on but not the new Splunk Add-on for Cisco ASA for Splunk 6.x. I have copied the transforms.conf and props.conf to the \Splunk\etc\apps\Splunk_TA_cisco-asa\local directory and restarted the server, but still not working. I type "splunk cmd btool props list syslog" to see if they show up, but they do not.
Fixed my issue, it was the source where the data was coming from. Since I have the data coming from a syslog server to splunk, I needed to use that as the source (syslog server). This was not an issue in the old Cisco Firewall app used in splunk 5.x.
Fixed my issue, it was the source where the data was coming from. Since I have the data coming from a syslog server to splunk, I needed to use that as the source (syslog server). This was not an issue in the old Cisco Firewall app used in splunk 5.x.
I know it is not work cause I don't see this in the syslog whey I type "splunk cmd btool props list syslog"
TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_pix,
force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_fwsm, force_sourcetyp
e_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catc
hall
I can't figure it out why?
Where is the macros.conf? Would this be for Splunk or the Splunk_TA_cisco-asa app?
have you checked to make sure that the 'macros.conf' is doing things properly to your sourcetypes?