Getting Data In
Highlighted

Changing sourcetype for FWSM

Explorer

Hi, I just installed cisco_firewall_addon for version 4.1 of splunk and I am having some issues. I have an ASA and a FWSM that I want to be recognized as a cisco_firewall sourcetype. The ASA is correctly recognized, but the FWSM is still categorized as cisco_syslog. I already went into the cisco_firewall_addon app config and changed it from %ASA OR %PIX to %ASA OR %PIX OR %FWSM and restarted, but that didn't resolve the issue. How do I change the FWSM to be recognized as cisco_firewall?

Tags (1)
Highlighted

Re: Changing sourcetype for FWSM

Communicator

0

How are you receiving the data? All syslog on the same port? What file did you change in the firewall_addon app?

0 Karma
Highlighted

Re: Changing sourcetype for FWSM

Explorer

All data is received on UDP port 514. The file I changed in firewall_addon was the configuration option under app management in Splunk.

0 Karma
Highlighted

Re: Changing sourcetype for FWSM

Communicator

Hello, We are in the process of updating the Cisco Firewall Add-on to support FWSM but for now there are a couple of steps you can take manually and this should get things working for you.

in the local directory of the app you need to create a transforms.conf, props.conf and eventtypes.conf file if you have not done so already.

In transforms add the following stanza:

[cisco_fwsm]
DEST_KEY = MetaData:Sourcetype
REGEX = (%FWSM)
FORMAT = sourcetype::cisco_firewall

in props.conf add the following to the top of the file:

TRANSFORMS-pix=cisco_fwsm

in eventtypes.conf add the following stanza:

[cisco_firewall]
search = %ASA OR %PIX OR %FWSM
tags = cisco firewall

This should be all you need to get the add-on working correctly with your firewall. Please let us know how it works out for you.

Highlighted

Re: Changing sourcetype for FWSM

Explorer

That fixed it. Thanks!

0 Karma
Highlighted

Re: Changing sourcetype for FWSM

Contributor

@pillowhead - since @Will Hayes's answer below answered your question, you should click the checkmark next to his answer so he'll get the reputation points for a good answer (and you'll get 2 points for your trouble). thanks!

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.