All Apps and Add-ons

Splunk_CiscoFirewalls & Cisco Security Suite to 2.0 -- not setting sourcetype

dbylertbg
Path Finder

I just updated my Splunk for Cisco Firewalls to 2.0 along with the Cisco Security Suite (also updated to 2.0).

The installs failed through the UI so I downloaded and decompressed the apps and put them apps, rebooted splunk. Suddenly instead of seeing sourcetype=cisco_asa, I see nothing but sourcetype=syslog.

I checked all the config files, and all the new files from the update were using non-windows-friendly line breaks. I fixed that (I think) and rebooted splunk again, but still getting just "syslog" source type.

Any advise?

1 Solution

Georgia_Highlan
Engager

Here's the problem guys:

Here is the cisco_asa section for transforms.conf in version 2.0 of the app (located in the "default" directory):

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
#REGEX = %ASA-\d+-\d+
REGEX = %ASA--\d+-\d+
FORMAT = sourcetype::cisco_asa

Notice the commented out REGEX string. Yeah -- that's what makes it work. No clue why they did this. The two dashes after the ASA in the uncommented REGEX do NOT match. To fix, do NOT edit transforms.conf as it may be overwritten in future updates. Instead, create a file called transforms.conf in the local directory, then paste the corrected stanza above and bounce Splunk. Fixed my issue immediately.

Richard

View solution in original post

Georgia_Highlan
Engager

Here's the problem guys:

Here is the cisco_asa section for transforms.conf in version 2.0 of the app (located in the "default" directory):

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
#REGEX = %ASA-\d+-\d+
REGEX = %ASA--\d+-\d+
FORMAT = sourcetype::cisco_asa

Notice the commented out REGEX string. Yeah -- that's what makes it work. No clue why they did this. The two dashes after the ASA in the uncommented REGEX do NOT match. To fix, do NOT edit transforms.conf as it may be overwritten in future updates. Instead, create a file called transforms.conf in the local directory, then paste the corrected stanza above and bounce Splunk. Fixed my issue immediately.

Richard

View solution in original post

idsersupport
Explorer

I had the same thing too. I added the transforms.conf file in the app (/Splunk_Home/etc/apps/[Cisco_app]/local/) and it started to work again. I found the info from this post, http://splunk-base.splunk.com//answers/42936/cisco-asa-logging-format-change.

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = %ASA-\w+-\w+
FORMAT = sourcetype::cisco_asa

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!