Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Changing sourcetype for FWSM

pillowhead
Explorer
‎04-09-2010 04:23 PM

Hi, I just installed cisco_firewall_addon for version 4.1 of splunk and I am having some issues. I have an ASA and a FWSM that I want to be recognized as a cisco_firewall sourcetype. The ASA is correctly recognized, but the FWSM is still categorized as cisco_syslog. I already went into the cisco_firewall_addon app config and changed it from %ASA OR %PIX to %ASA OR %PIX OR %FWSM and restarted, but that didn't resolve the issue. How do I change the FWSM to be recognized as cisco_firewall?

Tags (1)
Reply

Justin_Grant
Contributor
‎04-13-2010 08:08 PM

@pillowhead - since @Will Hayes's answer below answered your question, you should click the checkmark next to his answer so he'll get the reputation points for a good answer (and you'll get 2 points for your trouble). thanks!

0 Karma
Reply

Will_Hayes
Splunk Employee
Splunk Employee
‎04-12-2010 02:01 AM

Hello, We are in the process of updating the Cisco Firewall Add-on to support FWSM but for now there are a couple of steps you can take manually and this should get things working for you.

in the local directory of the app you need to create a transforms.conf, props.conf and eventtypes.conf file if you have not done so already.

In transforms add the following stanza:

[cisco_fwsm]
DEST_KEY = MetaData:Sourcetype
REGEX = (%FWSM)
FORMAT = sourcetype::cisco_firewall

in props.conf add the following to the top of the file:

TRANSFORMS-pix=cisco_fwsm

in eventtypes.conf add the following stanza:

[cisco_firewall]
search = %ASA OR %PIX OR %FWSM
tags = cisco firewall

This should be all you need to get the add-on working correctly with your firewall. Please let us know how it works out for you.

Reply

pillowhead
Explorer
‎04-12-2010 07:47 PM

That fixed it. Thanks!

0 Karma
Reply

pillowhead
Explorer
‎04-09-2010 10:54 PM

All data is received on UDP port 514. The file I changed in firewall_addon was the configuration option under app management in Splunk.

0 Karma
Reply

dskillman
Splunk Employee
Splunk Employee
‎04-09-2010 09:25 PM

0

How are you receiving the data? All syslog on the same port? What file did you change in the firewall_addon app?

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...