Hi,
I’m running Splunk 6.2 Enterprise on Windows Server 2012 R2 and am sending syslogs from two Cisco ASA firewalls over the default TCP port 1470. Because I don’t want to use a different port for each device that sends syslogs to Splunk, I have configured the following in order to assign the correct sourcetype and index:
Props.conf
[host::192.168.5.2]
TRANSFORMS-firewall_cisco = set_index_firewall_cisco_asa, set_sourcetype_firewall_cisco_asa
[host::192.168.6.2]
TRANSFORMS-firewall_cisco = set_index_firewall_cisco_asa, set_sourcetype_firewall_cisco_asa
Transforms.conf
[set_index_firewall_cisco_asa]
DEST_KEY = _MetaData:Index
FORMAT = firewall_cisco
REGEX = .
[set_sourcetype_firewall_cisco_asa]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::cisco:asa
REGEX = .
The firewall logs are searchable from within Spunk using an index="firewall_cisco"
search, but here’s the problem:
I have installed the ‘Cisco Security Suite’ app and the ‘Splunk Add-on for Cisco ASA’, but nothing is showing up on the Cisco Security Suite Overview dashboard - and I'd like it to.
Could someone confirm that a.) my config makes sense and b.) give me a clue as to why the Cisco dashboard isn’t picking up on the collected logs?
Thanks,
Most likely your firewall_cisco index is not a default searchable index. The Cisco Security Suite will look for the cisco:asa sourcetype only in indexes that are searchable by default depending on your role. Here's how to check:
Most likely your firewall_cisco index is not a default searchable index. The Cisco Security Suite will look for the cisco:asa sourcetype only in indexes that are searchable by default depending on your role. Here's how to check:
Perfect!
I added it to the 'User' role and all the pretty pictures on the Cisco dash came to life.
Thank you : )