Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Cisco Security Suite ASA firewall logs not showing in app

pmovrich
Explorer
‎04-28-2014 02:20 PM

Hello,

I've setup a new Splunk server to demo here and i'm pretty new to the whole Splunk scene. i'm trying to add some of my cisco devices and I've installed the Cisco Security Suite with the Firewall part enabled. however none of the logs/data is being populated inside the app.

When i search for ASA i see a bunch (10k+) of hits for my firewall. i read through the documentation but that doesn't seem to help.

I've enabled data collection on the Splunk server via add data > TCP port > 514.

any help?

Tags (3)
0 Karma
Reply

tshivery
New Member
‎04-29-2014 11:23 AM

I'm in the same boat as pmovrich - Brand new to Splunk and I wish to view ASA syslogs. Recently installed Splunk 6, Cisco Security Suite 3.0.2, Splunk Add-on for Cisco ASA 3.0.0. I see events being indexed on the Splunk home page but when I open the Cisco Sec. Suite, nothing. This is a Win7 install. Any advice? Thanks in advance.

0 Karma
Reply

tshivery
New Member
‎04-29-2014 12:26 PM

Success! That's what happens when you deal with network guys - you have to hold their hands on OSs. Thank you Jason.

0 Karma
Reply

pmovrich
Explorer
‎04-29-2014 12:03 PM

this was done on a windows 2012 box.

0 Karma
Reply

tshivery
New Member
‎04-29-2014 11:32 AM

If I'm not mistaken, your answer applies to a *nix install? My install is Win7.

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎04-29-2014 11:28 AM

Looks like my answer worked for pmovrich. Did you try the steps outlined?

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎04-28-2014 07:49 PM

You may need to force the sourcetype of your ASA logs. Here's how:

  1. Navigate to the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa directory.
  2. Create a new directory named local.
  3. Navigate into the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/default directory.
  4. Copy the props.conf configuration file and place it into the previously created $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local directory.
  5. Navigate into the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local directory.
  6. Open the props.conf configuration file.
  7. Remove the # (commented out markers) at the beginning of the below text in the props.conf file.
    • #[source::udp:514]
    • #TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
  8. Save the props.conf configuration file.
  9. Restart the Splunk Service/Daemon.
Reply

pmovrich
Explorer
‎04-29-2014 11:25 AM

This worked for me. thanks!

0 Karma
Reply

lloydknight
Builder
‎07-25-2017 11:18 PM

apparently this doesn't work for me.

props.conf config was already commented out but still not working.

and the dashboards were looking for eventtype=cisco-firewall and upon checking on the eventtypes.conf, there's no cisco-firewall defined in there. what's happening here?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...