we are currently monitoring few firewalls and picking up the data from syslog (514).
I used to have this search running beautifully:
sourcetype="cisco:asa" action="blocked"| stats count as Count by src_ip | rename src_ip as "Source IP" | rename dest_ip as "Destination IP" | sort -Count
However, now everything seems to be coming from sourcetype syslog
My questions are:
1) Why has this (sourcetype="cisco:asa" ) stopped working?
2) How do I segregate the data coming from Syslog by IP address (firewall) and filter the events I want (e.g.: 106023)
Any comments are appreciated
Not sure about your first question but if you can't get your sourcetype working, could you use the
host field to identify which firewall/ip is forwarding the events? And then filter out events as per http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Routeandfilterdatad
sourcetype="cisco:asa" action=Accessed | stats count as Count by srcip |dedup srcip |rename srcip as "Source IP" | rename destip as "Destination IP" | sort -Count
Try this query
the issue is that sourcetype="cisco:asa" was working fine until 19 Jan....Then my colleague run the following in the firewall:
User 'enable_15', running 'CLI' from IP <> executed 'logging host inside <> format emblem'
from then the sourcetype became "syslog"