I'm looking for some advice.
We currently have multiple ASAs which are sending logs to rsyslog. The logs are stored in folders based on the hostname. I currently have the universal forwarder monitoring the parent folder.
When it comes to using Splunk addons such as "Firegen Log Analyzer for Cisco ASA". It's asking to specify an index.
Do I need to compile all the logs from the ASAs into a single directory and then create an index for it?
Both rsyslog and splunk on are linux (ubuntu) hosts.
Any help would be appreciated.
Usually this means that you haven’t define sourcetype on inputs.conf and there was too few lines that splunk v can automatically recognize it. See https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Small_file_settings
Typically you split data to multiple indexes if:
1) You need different retention periods for your data
2) You need different permissions
There might be some other factors like "don't mix frequent data with rare one for performance reasons" but it's for more advanced setups.
So in general you should have as few indexes as possible and distinguish different sets of data by source/sourcetype/host fields.
So I've got a universal forwarder that monitors a directory, inside this directory each host that's sending syslogs has it's own directory. For example:
- Parent Directory
All of this is going to the main index in Splunk.
This particular addon I'm using using is asking to specify the index. It has a prefilled example of index="cisco_asa". When I input "main", it doesn't like it.
What am I missing here?
I don't know that add-on so I can't help you much with its workings but as a general note - it's good _not_ to use the main index. Just let it be there and sit, possibly as a last-resort, for all the stray events you forgot to route elsewhere but have the events conciously put into destination index(es).
BTW, there are some apps which are written relatively well and some that are written a bit worse. Properly written apps should be easily configurable, possibly by setting one or two macros or defining a tag or eventtype. With a poorly written apps there are some hardcoded things (like source index names for searches) and you need sometimes much work to customize it to your data layout. I'm not sure which one is your case.
I'm going to assume you're talking about this TA here: https://splunkbase.splunk.com/app/3800/
I haven't used the TA yet, but it is asking you to specify an index so it can configure the macro below to configure the index where you are storing the firewall logs. So all you need to do is provide the index name - I'm assuming you're using the TA on a search head. The dashboards in this TA needs to know where you are storing the data for it to work properly.
definition = index="cisco_asa"
iseval = 0
What Splunk version are you running? The TA you're referencing only supports Splunk v7.0 - v7.2 by the way.
You can also try adding in a "local/macros.conf" into the base TA with the following to see if that works:
definition = index="main"
iseval = 0