Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk is Classifying ASA Logs as a Sourcetype of access_combined instead of Cisco sourcetype

juanlazarosanch
New Member
‎01-02-2017 09:54 AM

I'm new to our environment here. Splunk is logging events from our Cisco ASA as a sourcetype of access_combined (see image). Is there a way to easily change that back to the original pre-trained sourcetype of Cisco?alt text

Tags (1)
Preview file
1 KB
0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎01-02-2017 10:46 AM

Hi Juan!

I would start by checking the udp input in inputs.conf to ensure the sourcetype wasn't explicitly set.

I'm not sure the access combined regex in props would ever mistake the the asa syslog...

If the sourcetype is not set on the inputs, then move to reviewing your props to see if you can identify what is causing Splunk to categorize these messages.

As for getting it back to cisco, do you have any of the Cisco TA's installed?? There is a TA for ASA that should help you properly identify these logs...

- MattyMo
0 Karma
Reply

juanlazarosanch
New Member
‎01-02-2017 02:15 PM

I found this in /opt/splunk/etc/apps/search/local/inputs.conf

[udp://514]
connection_host = dns
sourcetype = access_combined
index = network

I'm guessing since the firewalls are not explicitly defined, it is picking up the input as the specified sourcetype of access_combined.

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎01-03-2017 09:33 AM

Hey Juan, that is definitely it.

That setting explicitly sets all your logs received on that input to access_combined regardless of what they actually are.

I would double check whether your environment was set up so you would only receive weblogs on this port before changing it, but generally if you receive multiple log types on that port, you can remove the sourcetype and rely on your props.conf on the indexers to identify the sourcetype.

I would recommend you download the ASA app from splunkbase and take a look at the props/transforms to see how you can dynamically sourcetype based on message

https://splunkbase.splunk.com/app/1620/

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...