All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Add-on for Cisco ASA not transforming data from syslog to cisco:asa

idsersupport
Explorer
‎07-18-2014 10:05 AM

I can not get our splunk 6.x server with Splunk Add-on for Cisco ASA to transform the syslog data to cisco:aas for sourcetype so it will show in the Cisco Security Suite. I have the old versions (Cisco Firewall add-on) on a Splunk 5.x and they work fine, but the new Splunk 6.x does not work. Everything I see on the web points to the old Cisco Firewall add-on but not the new Splunk Add-on for Cisco ASA for Splunk 6.x. I have copied the transforms.conf and props.conf to the \Splunk\etc\apps\Splunk_TA_cisco-asa\local directory and restarted the server, but still not working. I type "splunk cmd btool props list syslog" to see if they show up, but they do not.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

idsersupport
Explorer
‎07-21-2014 09:28 AM

Fixed my issue, it was the source where the data was coming from. Since I have the data coming from a syslog server to splunk, I needed to use that as the source (syslog server). This was not an issue in the old Cisco Firewall app used in splunk 5.x.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

idsersupport
Explorer
‎07-21-2014 09:28 AM

Fixed my issue, it was the source where the data was coming from. Since I have the data coming from a syslog server to splunk, I needed to use that as the source (syslog server). This was not an issue in the old Cisco Firewall app used in splunk 5.x.

0 Karma
Reply
Solved! Jump to solution

idsersupport
Explorer
‎07-18-2014 10:32 AM

I know it is not work cause I don't see this in the syslog whey I type "splunk cmd btool props list syslog"

TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_pix,
force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_fwsm, force_sourcetyp
e_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catc
hall

I can't figure it out why?

0 Karma
Reply
Solved! Jump to solution

idsersupport
Explorer
‎07-18-2014 10:18 AM

Where is the macros.conf? Would this be for Splunk or the Splunk_TA_cisco-asa app?

0 Karma
Reply
Solved! Jump to solution

tmarlette
Motivator
‎07-18-2014 10:14 AM

have you checked to make sure that the 'macros.conf' is doing things properly to your sourcetypes?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...