Getting Data In

Cisco Firewall add-on question

New Member

Hi all

I have installed the Cisco Firewall add-on successfully, but my setup is slighlty different from the expected setup this app uses.

I have syslog-ng collecting my firewall logs and writing it files, i have then created a index to parse a directory where all these logs are stored.

What I would like is how do I get the Cisco Firewall app to use my existing index of data and constantly parse this for new log data ?

Thanks in advance

Tags (1)
0 Karma

Path Finder

Sorry to necro the thread but I had the same problem and fixed it.

I found that there was a part of the ...../etc/apps/Splunk_CiscoFirewalls/default/transforms.conf incorrectly defined...

I commented out the bottom REGEX and uncommented the top one. My messages are of type ASA-[etc] not ASA--[etc]. Maybe this is different across versions of the OS.

DEST_KEY = MetaData:Sourcetype
REGEX = %ASA-\d+-\d+
#REGEX = %ASA--\d+-\d+
FORMAT = sourcetype::cisco_asa


By default you should not have to do anything.

The cisco firewall add-on is based on the sourcetype which itself is assigned using regex in splunk/etc/apps/Splunk_CiscoFirewalls/default/transforms.conf.

But if you have manually set the sourcetype the easiest would be to rename your existing cisco firewall log sourcetype in Manager >> Fields >> Sourcetype renaming as cisco__firewall.
And for new data just force the sourcetype to cisco_firewall

as per README.txt:

If you have previously indexed Cisco firewall data and would like to preserve the current sourcetype for reporting purposes you can create an alias in the local directory of this app.

To create a sourcetype alias simply add the following entry to props.conf under the local directory of this app ($SPLUNK_HOME/etc/apps/cisco_firewall_addon/local😞

rename = your_current_firewall_sourcetype

The field extractions are set to sourcetype=cisco_firewall which is keyed off of %ASA, %PIX and %FWSM. All of the reports use eventtype=cisco_firewall, the default cisco_firewall eventtype looks for %ASA, %PIX or %FWSM in your data.

The real time and overview dashboards as well as the included searches and reports in this add-on rely on the search: eventtype=cisco_firewall in order to report on firewall data.


If you did evertyhing that MarioM suggested and it stil doesn't work, then maybe it is an Access Control issue. Did you make the new index "searched by default" for the role who you are logged in as? If you aren't sure, then click on "Manager | Access Control | Roles | ROLE-You-Are-Logged-In-As" and scrole down to the bottom two sections. 1. Ensure you have access to the new index. 2. Ensure Splunk searches the new index automatically.

0 Karma

New Member


I did this and can see the rename rule, but this does not seem to work at all.

I still cannot see any events when selecting the cisco_firewall app. Have you managed to get this to work as in the docs ?


0 Karma
Get Updates on the Splunk Community!

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...