All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cisco ASA as sourcetype, now syslog as sourcetype

rb51
Explorer
‎02-11-2015 03:52 AM

hi all,

totally new to Splunk

We used to get data with sourcetype = cisco:asa which was easy to configure queries and reports (as there were loads of fields to choose from)

the type of queries I used to run were like:
sourcetype="cisco:asa" action="blocked"| sort -Count

eventtype="cisco-firewall" message_id=111010 | eval my_time=_time | convert timeformat="%d-%m-%Y %H:%M:%S" ctime(my_time) |table my_time,host, msg | rename my_time as "Timestamp" | rename msg as "Syslog Message" | rename host as "Source"

sourcetype="cisco:asa" action="blocked" | stats count as Count by dest_port | rename dest_port as "Destination Port" | sort -Count

Now all the asa data are coming on sourcetype = syslog and therefore I cannot find a way to query and create reports (just 4 or 5 fields available)

Can anyone help?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adauria_splunk
Splunk Employee
Splunk Employee
‎02-13-2015 01:50 PM

If it's only cisco:asa coming in on UDP 514, simply change the line in the inputs.conf to sourcetype=cisco:asa.

The better way to do this, however, is to run a syslog server separate from Splunk (e.g. rsyslog or syslog-ng). Configure this server to receive all the syslog and write it out to local disk. When it writes it, it should use the IP or DNS name of the sending device as the directory name to which it writes the events. Then you can use a Splunk monitor (file) input (using a Universal Forwarder if not doing this on the Splunk server) to pick up the file. You can configure the host_segment parameter to pick up the "host" value from the path to the file (e.g. /var/syslog/host1 /var/syslog/host2 would pick up the 3rd segment of the path).

If you have a mixed stream of syslog (i.e. not just ASA), and you can't or won't run a separate syslog collector outside of the Splunk server itself, you would have to accept the data as syslog and then assign sourcetype based on source or other properties with the correct sourcetypes. Take a look here:
http://blogs.splunk.com/2010/02/11/sourcetypes-gone-wild/

Hope this helps!
-Andrew

View solution in original post

Reply
Solved! Jump to solution

swasserroth
Path Finder
‎03-06-2015 11:12 AM

Could you check if you have installed the app "SA-cisco-asa"? If yes, then try to disable it, IF your version of the Cisco Security Suite is 3.1.0 (the newest one). I suspect some interferences between the older SA and the newer version of the Security Suite...

Regards,
Stephan

0 Karma
Reply
Solved! Jump to solution

swasserroth
Path Finder
‎03-06-2015 08:37 AM

Maybe you should check your installed applications: the Cisco Security Suite seems to have changed a bit, de-activate SA-cisco-ASA (if installed) and install Splunk Add-on for Cisco ASA (Splunk_TA_cisco-asa). That may fix the sourcetype problems...
Regards,
Stephan

0 Karma
Reply
Solved! Jump to solution
Solution

adauria_splunk
Splunk Employee
Splunk Employee
‎02-13-2015 01:50 PM

If it's only cisco:asa coming in on UDP 514, simply change the line in the inputs.conf to sourcetype=cisco:asa.

The better way to do this, however, is to run a syslog server separate from Splunk (e.g. rsyslog or syslog-ng). Configure this server to receive all the syslog and write it out to local disk. When it writes it, it should use the IP or DNS name of the sending device as the directory name to which it writes the events. Then you can use a Splunk monitor (file) input (using a Universal Forwarder if not doing this on the Splunk server) to pick up the file. You can configure the host_segment parameter to pick up the "host" value from the path to the file (e.g. /var/syslog/host1 /var/syslog/host2 would pick up the 3rd segment of the path).

If you have a mixed stream of syslog (i.e. not just ASA), and you can't or won't run a separate syslog collector outside of the Splunk server itself, you would have to accept the data as syslog and then assign sourcetype based on source or other properties with the correct sourcetypes. Take a look here:
http://blogs.splunk.com/2010/02/11/sourcetypes-gone-wild/

Hope this helps!
-Andrew

Reply
Solved! Jump to solution

adauria_splunk
Splunk Employee
Splunk Employee
‎02-13-2015 02:00 PM

I'll just add that none of what I said explains WHY this sourcetype changed on you. It's possible you installed another app that did this, or perhaps another user made some change to the input... Sourcetypes don't generally change on their own for a given input, so there is SOME explanation, but I don't know what it is or how to figure out the mystery unless you've got file integrity monitoring on the system or something.

0 Karma
Reply
Solved! Jump to solution

rb51
Explorer
‎02-11-2015 04:44 AM

on \Splunk\etc\apps\Splunk_CiscoSecuritySuite\local the inputs.conf file is:

[udp://514]
connection_host = ip
index = main
sourcetype = syslog

The true is that we have not made any changes.

0 Karma
Reply
Solved! Jump to solution

adauria_splunk
Splunk Employee
Splunk Employee
‎02-11-2015 04:26 AM

Generally sourcetype is assigned at index time and defined in your input. You can look at the input under settings - inputs or in whichever inputs.conf file defines this input. Sourcetype will be an option in gui or a parameter in the conf file.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...