All Apps and Add-ons

Splunk_CiscoFirewalls & Cisco Security Suite to 2.0 -- not setting sourcetype

Path Finder

I just updated my Splunk for Cisco Firewalls to 2.0 along with the Cisco Security Suite (also updated to 2.0).

The installs failed through the UI so I downloaded and decompressed the apps and put them apps, rebooted splunk. Suddenly instead of seeing sourcetype=cisco_asa, I see nothing but sourcetype=syslog.

I checked all the config files, and all the new files from the update were using non-windows-friendly line breaks. I fixed that (I think) and rebooted splunk again, but still getting just "syslog" source type.

Any advise?

1 Solution

Here's the problem guys:

Here is the cisco_asa section for transforms.conf in version 2.0 of the app (located in the "default" directory):

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
#REGEX = %ASA-\d+-\d+
REGEX = %ASA--\d+-\d+
FORMAT = sourcetype::cisco_asa

Notice the commented out REGEX string. Yeah -- that's what makes it work. No clue why they did this. The two dashes after the ASA in the uncommented REGEX do NOT match. To fix, do NOT edit transforms.conf as it may be overwritten in future updates. Instead, create a file called transforms.conf in the local directory, then paste the corrected stanza above and bounce Splunk. Fixed my issue immediately.

Richard

View solution in original post

Here's the problem guys:

Here is the cisco_asa section for transforms.conf in version 2.0 of the app (located in the "default" directory):

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
#REGEX = %ASA-\d+-\d+
REGEX = %ASA--\d+-\d+
FORMAT = sourcetype::cisco_asa

Notice the commented out REGEX string. Yeah -- that's what makes it work. No clue why they did this. The two dashes after the ASA in the uncommented REGEX do NOT match. To fix, do NOT edit transforms.conf as it may be overwritten in future updates. Instead, create a file called transforms.conf in the local directory, then paste the corrected stanza above and bounce Splunk. Fixed my issue immediately.

Richard

View solution in original post

Explorer

I had the same thing too. I added the transforms.conf file in the app (/Splunk_Home/etc/apps/[Cisco_app]/local/) and it started to work again. I found the info from this post, http://splunk-base.splunk.com//answers/42936/cisco-asa-logging-format-change.

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = %ASA-\w+-\w+
FORMAT = sourcetype::cisco_asa

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!