All Apps and Add-ons
Highlighted

Why am I not getting the cisco:acs sourcetype after installing Add-on for Cisco ACS 5.x?

New Member

I've installed the add-on for Cisco ACS TA-cisco_acs but I am still not getting the cisco:acs sourcetype. Can anyone help me?

0 Karma
Highlighted

Re: Why am I not getting the cisco:acs sourcetype after installing Add-on for Cisco ACS 5.x?

Builder

Are you seeing data from the ACS? What sourcetype is it showing as currently?

0 Karma
Highlighted

Re: Why am I not getting the cisco:acs sourcetype after installing Add-on for Cisco ACS 5.x?

Splunk Employee
Splunk Employee

The TA does not automatically source type the data for you like some of the other addons. You need to either set the sourcetype by editing an input or you would need to add an entry in props.conf and transforms.conf to sourcetype by matching a pattern in the event.

Create or edit a file called props.conf. They syslog stanza should be whatever sourcetype the acs data is currently showing up as -

[syslog]
REPORT-acessourcetype = forcesourcetypeforciscoacs

Create or edit a file transforms.conf in etc/system/local/ -
[forcesourcetypeforciscoacs]
DEST_KEY = MetaData:Sourcetype
REGEX = CisACS-\d+-\d+
FORMAT = sourcetype::cisco:acs

You might need to change the regular expression to match the event exactly but if you give me an example I can help you.

Highlighted

Re: Why am I not getting the cisco:acs sourcetype after installing Add-on for Cisco ACS 5.x?

New Member

I'm assuming I could key on CSCOacs in the syslog messages.
Jul 31 10:25:20 gthou-nsacs01p.energy.sug.pri Jul 31 10:25:12 gthou-nsacs01p CSCOacsPassedAuthentications 0083647704 11
How would I phrase the Transform and where would I put it?

0 Karma
Highlighted

Re: Why am I not getting the cisco:acs sourcetype after installing Add-on for Cisco ACS 5.x?

Splunk Employee
Splunk Employee

I updated the answers with a few more instructions. Please see if this is clear.

0 Karma
Highlighted

Re: Why am I not getting the cisco:acs sourcetype after installing Add-on for Cisco ACS 5.x?

Path Finder

Since ACS allows you to export its logs to different ports, I would also recommend opening up an explicit input for this source type. It's operationally more efficient to do so and then there isn't the risk of something being mismatched by the transform should something else creep in that unexpectedly triggers it.

0 Karma
Highlighted

Re: Why am I not getting the cisco:acs sourcetype after installing Add-on for Cisco ACS 5.x?

Path Finder

what about if you want to add via web a new log file? Actually with cisco:asa in 6.2 I can add a new file to monitor and select under Network & Security -> cisco:asa but I cannot assign the cisco:acs as it not appears on the dropdown menu.

I set on TA-cisco_acs/local/props.conf with no joy

[cisco:acs]
TIME_PREFIX = ^
TIME_FORMAT = %B %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 19
pulldown_type = true
0 Karma
Highlighted

Re: Why am I not getting the cisco:acs sourcetype after installing Add-on for Cisco ACS 5.x?

Path Finder

I can't say that I'm familiar with how file scraping operations work in Splunk for this case.

For my current case, I made a new UDP input to take in the logs:

[udp://7227]
connection_host = dns
sourcetype = cisco:acs
no_appending_timestamp = true

(Sorry for the really late reply ... I haven't been doing much Splunking in the last year or three.)

0 Karma
Highlighted

Re: Why am I not getting the cisco:acs sourcetype after installing Add-on for Cisco ACS 5.x?

New Member

I'm assuming I could key on CSCOacs in the syslog messages.
Jul 31 10:25:20 gthou-nsacs01p.energy.sug.pri Jul 31 10:25:12 gthou-nsacs01p CSCOacsPassedAuthentications 0083647704 11
How would I phrase the Transform and where would I put it?

0 Karma