I 'am a newbie with splunk and i have an issue with the Cisco Firewalls.
I use the syslog feature with splunk for my Cisco firewall.
I did this:
- install splunk 4.2.1 on Ubuntu 64bit LTS 10.04
- from "Manager ==> Apps", i added app "Cisco Firewall" (version 1.0.1) and during installation,
i created a SYSLOG DATA SOURCE on UDP 514. By default, no "sourcetype" was defined on the data source.
When i checked all source types, i didn't see "eventtype=cisco_firewall", is it normal?
All searches and reports from Cisco Firewall use "eventtype=cisco_firewall".
How can I configure SPLUNK to automatically integrate the Cisco datas with event types equal to Cisco Firewall?
I tried to apply the following procedure http://www.splunk.com/wiki/Set_up_Splunk_for_Cisco_Firewalls but without any success.
Can you please help me? Now, i can't use any search or report from the Cisco Firewall.