All Apps and Add-ons

Splunk_CiscoFirewalls & Cisco Security Suite to 2.0 -- not setting sourcetype

dbylertbg
Path Finder

I just updated my Splunk for Cisco Firewalls to 2.0 along with the Cisco Security Suite (also updated to 2.0).

The installs failed through the UI so I downloaded and decompressed the apps and put them apps, rebooted splunk. Suddenly instead of seeing sourcetype=cisco_asa, I see nothing but sourcetype=syslog.

I checked all the config files, and all the new files from the update were using non-windows-friendly line breaks. I fixed that (I think) and rebooted splunk again, but still getting just "syslog" source type.

Any advise?

1 Solution

Georgia_Highlan
Engager

Here's the problem guys:

Here is the cisco_asa section for transforms.conf in version 2.0 of the app (located in the "default" directory):

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
#REGEX = %ASA-\d+-\d+
REGEX = %ASA--\d+-\d+
FORMAT = sourcetype::cisco_asa

Notice the commented out REGEX string. Yeah -- that's what makes it work. No clue why they did this. The two dashes after the ASA in the uncommented REGEX do NOT match. To fix, do NOT edit transforms.conf as it may be overwritten in future updates. Instead, create a file called transforms.conf in the local directory, then paste the corrected stanza above and bounce Splunk. Fixed my issue immediately.

Richard

View solution in original post

Georgia_Highlan
Engager

Here's the problem guys:

Here is the cisco_asa section for transforms.conf in version 2.0 of the app (located in the "default" directory):

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
#REGEX = %ASA-\d+-\d+
REGEX = %ASA--\d+-\d+
FORMAT = sourcetype::cisco_asa

Notice the commented out REGEX string. Yeah -- that's what makes it work. No clue why they did this. The two dashes after the ASA in the uncommented REGEX do NOT match. To fix, do NOT edit transforms.conf as it may be overwritten in future updates. Instead, create a file called transforms.conf in the local directory, then paste the corrected stanza above and bounce Splunk. Fixed my issue immediately.

Richard

idsersupport
Explorer

I had the same thing too. I added the transforms.conf file in the app (/Splunk_Home/etc/apps/[Cisco_app]/local/) and it started to work again. I found the info from this post, http://splunk-base.splunk.com//answers/42936/cisco-asa-logging-format-change.

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = %ASA-\w+-\w+
FORMAT = sourcetype::cisco_asa

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...