Archive

Searches and reports from Cisco Firewall

New Member

Hi,
I 'am a newbie with splunk and i have an issue with the Cisco Firewalls.
I use the syslog feature with splunk for my Cisco firewall.
I did this:
- install splunk 4.2.1 on Ubuntu 64bit LTS 10.04
- from "Manager ==> Apps", i added app "Cisco Firewall" (version 1.0.1) and during installation,
i created a SYSLOG DATA SOURCE on UDP 514. By default, no "sourcetype" was defined on the data source.
When i checked all source types, i didn't see "eventtype=cisco_firewall", is it normal?
All searches and reports from Cisco Firewall use "eventtype=cisco_firewall".
How can I configure SPLUNK to automatically integrate the Cisco datas with event types equal to Cisco Firewall?
I tried to apply the following procedure http://www.splunk.com/wiki/Set_up_Splunk_for_Cisco_Firewalls but without any success.

Can you please help me? Now, i can't use any search or report from the Cisco Firewall.

Thanks
Constant

0 Karma

Splunk Employee
Splunk Employee

In the inputs.conf file where you specify the UDP 514 input, you can set sourcetype explicitly with

SOURCETYPE = cisco_firewall

This is presuming no other sourcetype will ever report on this port.

What is the sourcetype you see reporting now via the search summary page for these events?

0 Karma