All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk_CiscoFirewalls & Cisco Security Suite to 2.0 -- not setting sourcetype

dbylertbg
Path Finder
‎01-31-2013 12:13 PM

I just updated my Splunk for Cisco Firewalls to 2.0 along with the Cisco Security Suite (also updated to 2.0).

The installs failed through the UI so I downloaded and decompressed the apps and put them apps, rebooted splunk. Suddenly instead of seeing sourcetype=cisco_asa, I see nothing but sourcetype=syslog.

I checked all the config files, and all the new files from the update were using non-windows-friendly line breaks. I fixed that (I think) and rebooted splunk again, but still getting just "syslog" source type.

Any advise?

Reply
1 Solution
Solved! Jump to solution
Solution

Georgia_Highlan
Engager
‎02-03-2013 07:08 PM

Here's the problem guys:

Here is the cisco_asa section for transforms.conf in version 2.0 of the app (located in the "default" directory):

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
#REGEX = %ASA-\d+-\d+
REGEX = %ASA--\d+-\d+
FORMAT = sourcetype::cisco_asa

Notice the commented out REGEX string. Yeah -- that's what makes it work. No clue why they did this. The two dashes after the ASA in the uncommented REGEX do NOT match. To fix, do NOT edit transforms.conf as it may be overwritten in future updates. Instead, create a file called transforms.conf in the local directory, then paste the corrected stanza above and bounce Splunk. Fixed my issue immediately.

Richard

View solution in original post

Reply
Solved! Jump to solution
Solution

Georgia_Highlan
Engager
‎02-03-2013 07:08 PM

Here's the problem guys:

Here is the cisco_asa section for transforms.conf in version 2.0 of the app (located in the "default" directory):

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
#REGEX = %ASA-\d+-\d+
REGEX = %ASA--\d+-\d+
FORMAT = sourcetype::cisco_asa

Notice the commented out REGEX string. Yeah -- that's what makes it work. No clue why they did this. The two dashes after the ASA in the uncommented REGEX do NOT match. To fix, do NOT edit transforms.conf as it may be overwritten in future updates. Instead, create a file called transforms.conf in the local directory, then paste the corrected stanza above and bounce Splunk. Fixed my issue immediately.

Richard

Reply
Solved! Jump to solution

idsersupport
Explorer
‎02-01-2013 11:49 AM

I had the same thing too. I added the transforms.conf file in the app (/Splunk_Home/etc/apps/[Cisco_app]/local/) and it started to work again. I found the info from this post, http://splunk-base.splunk.com//answers/42936/cisco-asa-logging-format-change.

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = %ASA-\w+-\w+
FORMAT = sourcetype::cisco_asa

Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...