I have installed the Cisco Firewall add-on successfully, but my setup is slighlty different from the expected setup this app uses.
I have syslog-ng collecting my firewall logs and writing it files, i have then created a index to parse a directory where all these logs are stored.
What I would like is how do I get the Cisco Firewall app to use my existing index of data and constantly parse this for new log data ?
Thanks in advance
Sorry to necro the thread but I had the same problem and fixed it.
I found that there was a part of the ...../etc/apps/Splunk_CiscoFirewalls/default/transforms.conf incorrectly defined...
I commented out the bottom REGEX and uncommented the top one. My messages are of type ASA-[etc] not ASA--[etc]. Maybe this is different across versions of the OS.
[force_sourcetype_for_cisco_asa] DEST_KEY = MetaData:Sourcetype REGEX = %ASA-\d+-\d+ #REGEX = %ASA--\d+-\d+ FORMAT = sourcetype::cisco_asa [/code]
By default you should not have to do anything.
The cisco firewall add-on is based on the sourcetype which itself is assigned using regex in splunk/etc/apps/Splunk_CiscoFirewalls/default/transforms.conf.
But if you have manually set the sourcetype the easiest would be to rename your existing cisco firewall log sourcetype in Manager >> Fields >> Sourcetype renaming as
And for new data just force the sourcetype to
as per README.txt:
If you have previously indexed Cisco firewall data and would like to preserve the current sourcetype for reporting purposes you can create an alias in the local directory of this app.
To create a sourcetype alias simply add the following entry to props.conf under the local directory of this app (
[cisco_firewall] rename = your_current_firewall_sourcetype
The field extractions are set to
sourcetype=cisco_firewall which is keyed off of
%ASA, %PIX and %FWSM. All of the reports use
eventtype=cisco_firewall, the default cisco_firewall eventtype looks for
%ASA, %PIX or %FWSM in your data.
The real time and overview dashboards as well as the included searches and reports in this add-on rely on the search:
eventtype=cisco_firewall in order to report on firewall data.
If you did evertyhing that MarioM suggested and it stil doesn't work, then maybe it is an Access Control issue. Did you make the new index "searched by default" for the role who you are logged in as? If you aren't sure, then click on "Manager | Access Control | Roles | ROLE-You-Are-Logged-In-As" and scrole down to the bottom two sections. 1. Ensure you have access to the new index. 2. Ensure Splunk searches the new index automatically.
I did this and can see the rename rule, but this does not seem to work at all.
I still cannot see any events when selecting the cisco_firewall app. Have you managed to get this to work as in the docs ?