Getting Data In

Changing sourcetype for FWSM

Explorer

Hi, I just installed cisco_firewall_addon for version 4.1 of splunk and I am having some issues. I have an ASA and a FWSM that I want to be recognized as a cisco_firewall sourcetype. The ASA is correctly recognized, but the FWSM is still categorized as cisco_syslog. I already went into the cisco_firewall_addon app config and changed it from %ASA OR %PIX to %ASA OR %PIX OR %FWSM and restarted, but that didn't resolve the issue. How do I change the FWSM to be recognized as cisco_firewall?

Tags (1)

Contributor

@pillowhead - since @Will Hayes's answer below answered your question, you should click the checkmark next to his answer so he'll get the reputation points for a good answer (and you'll get 2 points for your trouble). thanks!

0 Karma

Splunk Employee
Splunk Employee

Hello, We are in the process of updating the Cisco Firewall Add-on to support FWSM but for now there are a couple of steps you can take manually and this should get things working for you.

in the local directory of the app you need to create a transforms.conf, props.conf and eventtypes.conf file if you have not done so already.

In transforms add the following stanza:

[cisco_fwsm]
DEST_KEY = MetaData:Sourcetype
REGEX = (%FWSM)
FORMAT = sourcetype::cisco_firewall

in props.conf add the following to the top of the file:

TRANSFORMS-pix=cisco_fwsm

in eventtypes.conf add the following stanza:

[cisco_firewall]
search = %ASA OR %PIX OR %FWSM
tags = cisco firewall

This should be all you need to get the add-on working correctly with your firewall. Please let us know how it works out for you.

Explorer

That fixed it. Thanks!

0 Karma

Explorer

All data is received on UDP port 514. The file I changed in firewall_addon was the configuration option under app management in Splunk.

0 Karma

Splunk Employee
Splunk Employee

0

How are you receiving the data? All syslog on the same port? What file did you change in the firewall_addon app?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!