I just updated my Splunk for Cisco Firewalls to 2.0 along with the Cisco Security Suite (also updated to 2.0).
The installs failed through the UI so I downloaded and decompressed the apps and put them apps, rebooted splunk. Suddenly instead of seeing sourcetype=cisco_asa, I see nothing but sourcetype=syslog.
I checked all the config files, and all the new files from the update were using non-windows-friendly line breaks. I fixed that (I think) and rebooted splunk again, but still getting just "syslog" source type.
Any advise?
Here's the problem guys:
Here is the cisco_asa section for transforms.conf in version 2.0 of the app (located in the "default" directory):
[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
#REGEX = %ASA-\d+-\d+
REGEX = %ASA--\d+-\d+
FORMAT = sourcetype::cisco_asa
Notice the commented out REGEX string. Yeah -- that's what makes it work. No clue why they did this. The two dashes after the ASA in the uncommented REGEX do NOT match. To fix, do NOT edit transforms.conf as it may be overwritten in future updates. Instead, create a file called transforms.conf in the local directory, then paste the corrected stanza above and bounce Splunk. Fixed my issue immediately.
Richard
Here's the problem guys:
Here is the cisco_asa section for transforms.conf in version 2.0 of the app (located in the "default" directory):
[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
#REGEX = %ASA-\d+-\d+
REGEX = %ASA--\d+-\d+
FORMAT = sourcetype::cisco_asa
Notice the commented out REGEX string. Yeah -- that's what makes it work. No clue why they did this. The two dashes after the ASA in the uncommented REGEX do NOT match. To fix, do NOT edit transforms.conf as it may be overwritten in future updates. Instead, create a file called transforms.conf in the local directory, then paste the corrected stanza above and bounce Splunk. Fixed my issue immediately.
Richard
I had the same thing too. I added the transforms.conf file in the app (/Splunk_Home/etc/apps/[Cisco_app]/local/) and it started to work again. I found the info from this post, http://splunk-base.splunk.com//answers/42936/cisco-asa-logging-format-change.
[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = %ASA-\w+-\w+
FORMAT = sourcetype::cisco_asa