Hi all,

I've got the Cisco Firewall Addon (latest version with Security Suite) in and working, however I notice that it isn't recognising the host name properly; all events are showing as being from the box that my light forwarder is on. (host=myforwarderboxname)

It looks like this stanza in the transforms.conf will be the issue

[cisco_firewall_hostoverride]
DEST_KEY = MetaData:Host
REGEX = \S+\t\S+\s(.*)\t+
FORMAT = host::$1

However, I tried changing the regex to \s\d+:\d+:\d+\s(.*)\s\% (works on a field extraction) and restarting but this didn't work.

View source from splunk shows:

Sep 18 13:10:02 myfirewall %ASA-6-302014: Teardown TCP connection 54647599 for outside....

Is anyone else doing the same thing, and if so, how did you fix it? 🙂

Thanks!

EDIT:

Right, after some brain-ache, I found that I can fix this by editing:

/opt/splunk/etc/apps/Splunk_CiscoFirewalls/default/props.conf

And appending syslog-host on the end of the first transforms line, eg:

[source::...cisco]

TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_pix, force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_fwsm, force_sourcetype_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catchall, syslog-host

There must be a foolproof way of doing this... I know that if I upgrade the app, then this will probably get wiped out.

Do I need to add a one-liner in the local folder in a new props.conf?

ie: TRANSFORMS-syslog-host