Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Filtering Cisco ASA Session log to remove logging for a session ID and IP combination

timoggy
Loves-to-Learn Lots
‎11-13-2020 03:30 AM

Hi,

I'm very new to Splunk,  and struggling to find a way to filter a specific log which is consuming a large proportion of my license.

I have a Cisco ASA set up to send events to Splunk UDP port as syslog. I've restricted the logs to what I want to see by using the Built in filter tools within the ASA. 

From what I can see within the forum, there are lots of people asking how to filter based off Syslog ID, but I want to filter out based off Syslog ID 302013 and IP xxx.xxx.xxx.xxx, as I want to keep 302013 apart from anything containing that specific IP.

I don't even know where to start, but I know this can't be done from the cisco device, so has to be done on the Splunk server.

Would really appreciate someone pointing me in the right direction.

Thanks,

Tim

Labels (1)
Labels
0 Karma
Reply

timoggy
Loves-to-Learn Lots
‎11-13-2020 07:12 AM

Hi, I meant I want to keep ID302013. But I don't want to keep  ID302013 if it contains a specific IP address.

I wanted to try and simplify the set up rather than have multiple servers, we don't have much resource here, but may have to look and see if there a syslog server that may make the filtering bit a bit easier. The way to filter in Splunk doesn't look the easiest to implement, which is why I did as much as I could from the source device. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-13-2020 06:43 AM

Please clarify your requirements since "filter" and "keep apart" mean two different things in my world.  What do you want to do with the ID 302013 events?

Have read the docs on filtering events?  See https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Routeandfilterdatad

Are you aware that sending syslog directly to Splunk is discouraged?  Best Practice is to send syslog to a dedicated syslog server and then forward to Splunk.  This helps to reduce data loss, plus syslog server often have built-in filtering features.  See http://www.georgestarcher.com/splunk-success-with-syslog/

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...