Hello,
I've setup a new Splunk server to demo here and i'm pretty new to the whole Splunk scene. i'm trying to add some of my cisco devices and I've installed the Cisco Security Suite with the Firewall part enabled. however none of the logs/data is being populated inside the app.
When i search for ASA i see a bunch (10k+) of hits for my firewall. i read through the documentation but that doesn't seem to help.
I've enabled data collection on the Splunk server via add data > TCP port > 514.
any help?
I'm in the same boat as pmovrich - Brand new to Splunk and I wish to view ASA syslogs. Recently installed Splunk 6, Cisco Security Suite 3.0.2, Splunk Add-on for Cisco ASA 3.0.0. I see events being indexed on the Splunk home page but when I open the Cisco Sec. Suite, nothing. This is a Win7 install. Any advice? Thanks in advance.
Success! That's what happens when you deal with network guys - you have to hold their hands on OSs. Thank you Jason.
this was done on a windows 2012 box.
If I'm not mistaken, your answer applies to a *nix install? My install is Win7.
Looks like my answer worked for pmovrich. Did you try the steps outlined?
You may need to force the sourcetype of your ASA logs. Here's how:
This worked for me. thanks!
apparently this doesn't work for me.
props.conf config was already commented out but still not working.
and the dashboards were looking for eventtype=cisco-firewall and upon checking on the eventtypes.conf, there's no cisco-firewall defined in there. what's happening here?