Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Are there additional considerations for onboarding Cisco ASA data into Splunk?

Svill321
Path Finder
‎06-09-2017 08:29 AM

I apologize in advance if this is an extremely basic question, but I need to be sure I do this correctly.

I'm researching how to onboard Cisco ASA data into Splunk for my internship. I'm reading through the documentation here on how to get the data into Splunk, but I'm curious. Are there any additional considerations I should take when getting ASA into Splunk, or is the process the same as with any other device?

Here is the document I'm reading:
http://docs.splunk.com/Documentation/Splunk/6.6.1/Data/WhatSplunkcanmonitor

If there is other documentation you think I should read, please let me know.

Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎06-09-2017 10:27 AM

Yes, it's probably all you need. But no, you might need (or at least want) just a bit more. Oh, don't you love these "Maybe, Maybe Not?" answers?

If you want to get ASA data into Splunk then you likely need go no further than the above mentioned docs. You might have to do a little searching for specific issues (if any come across), but those will likely be all you need.

If you are truly trying to understand the data, you'll want to refer to Cisco's documentation on their various event ids. This Cisco Syslog Message guide could be useful or maybe this PDF version of same. If those aren't right, use your favorite search engine and search for "Cisco syslog events".

You don't have to memorize them or anything. Many or even most events are pretty straightforward. But occasionally you may want to look up the difference between two events, both with nearly the same data (or what appears to be the same data in different format), to see exactly what difference there is between them - might be a good opportunity to not send one of them in and save license. Or sometimes there's just an extra piece in the data you don't know what it is, so looking it up can be good.

Happy Splunking!
-Rich

View solution in original post

Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎06-09-2017 10:27 AM

Yes, it's probably all you need. But no, you might need (or at least want) just a bit more. Oh, don't you love these "Maybe, Maybe Not?" answers?

If you want to get ASA data into Splunk then you likely need go no further than the above mentioned docs. You might have to do a little searching for specific issues (if any come across), but those will likely be all you need.

If you are truly trying to understand the data, you'll want to refer to Cisco's documentation on their various event ids. This Cisco Syslog Message guide could be useful or maybe this PDF version of same. If those aren't right, use your favorite search engine and search for "Cisco syslog events".

You don't have to memorize them or anything. Many or even most events are pretty straightforward. But occasionally you may want to look up the difference between two events, both with nearly the same data (or what appears to be the same data in different format), to see exactly what difference there is between them - might be a good opportunity to not send one of them in and save license. Or sometimes there's just an extra piece in the data you don't know what it is, so looking it up can be good.

Happy Splunking!
-Rich

Reply
Solved! Jump to solution

Svill321
Path Finder
‎06-14-2017 12:11 PM

Thank you very much! Sorry for taking so long to accept this.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...