Hi All,
The Splunk for Cisco Firewalls app doesn't seem to extract fields from all different Cisco FWSM syslog types (e.g. %FWSM-4-106100). Searching the knowledge base I found the Cisco ASA/FWSM Field extractions app made by user dps. I can see the props.conf file has got the right extractions. I'm trying to get these extractions into the Splunk for Cisco Firewalls app as I don't want to rename my sourcetype again. Anyone an idea if this will work and what should be the right way to establish this?
Thanks in advance!
/daniel
Guess Should work via Aliasing - Below Notes from Cisco Spunk SIEM Doc
The Cisco App add-on will rename the sourcetype of your firewall events to cisco_firewall. If you have previously added Cisco Firewall data as a data source and would like to preserve the current sourcetype for reporting purposes, you can create an alias in the local directory of this app.
Create a sourcetype alias, add the following entry to props.conf under the
local directory of this app ($SPLUNK_HOME/etc/apps/cisco_firewall_addon/local):
[cisco_firewall] rename = your_current_firewall_sourcetype