Getting Data In

Cisco Security Suite ASA firewall logs not showing in app

pmovrich
Explorer

Hello,

I've setup a new Splunk server to demo here and i'm pretty new to the whole Splunk scene. i'm trying to add some of my cisco devices and I've installed the Cisco Security Suite with the Firewall part enabled. however none of the logs/data is being populated inside the app.

When i search for ASA i see a bunch (10k+) of hits for my firewall. i read through the documentation but that doesn't seem to help.

I've enabled data collection on the Splunk server via add data > TCP port > 514.

any help?

Tags (3)
0 Karma

tshivery
New Member

I'm in the same boat as pmovrich - Brand new to Splunk and I wish to view ASA syslogs. Recently installed Splunk 6, Cisco Security Suite 3.0.2, Splunk Add-on for Cisco ASA 3.0.0. I see events being indexed on the Splunk home page but when I open the Cisco Sec. Suite, nothing. This is a Win7 install. Any advice? Thanks in advance.

0 Karma

tshivery
New Member

Success! That's what happens when you deal with network guys - you have to hold their hands on OSs. Thank you Jason.

0 Karma

pmovrich
Explorer

this was done on a windows 2012 box.

0 Karma

tshivery
New Member

If I'm not mistaken, your answer applies to a *nix install? My install is Win7.

0 Karma

jconger
Splunk Employee
Splunk Employee

Looks like my answer worked for pmovrich. Did you try the steps outlined?

0 Karma

jconger
Splunk Employee
Splunk Employee

You may need to force the sourcetype of your ASA logs. Here's how:

  1. Navigate to the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa directory.
  2. Create a new directory named local.
  3. Navigate into the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/default directory.
  4. Copy the props.conf configuration file and place it into the previously created $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local directory.
  5. Navigate into the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local directory.
  6. Open the props.conf configuration file.
  7. Remove the # (commented out markers) at the beginning of the below text in the props.conf file.
    • #[source::udp:514]
    • #TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
  8. Save the props.conf configuration file.
  9. Restart the Splunk Service/Daemon.

pmovrich
Explorer

This worked for me. thanks!

0 Karma

lloydknight
Builder

apparently this doesn't work for me.

props.conf config was already commented out but still not working.

and the dashboards were looking for eventtype=cisco-firewall and upon checking on the eventtypes.conf, there's no cisco-firewall defined in there. what's happening here?

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...