Is there a way to use this app with another index. I have a syslog server which collects all the ASA logs and than a local forwarder on that host sends the data to Splunk. Reason being is that I have 3 indexers and would like to load balance the traffic. Also the search head is not licensed to index that amount of data

To install this add-on, unpack this file into $SPLUNK_HOME/etc/apps and restart Splunk.

In order to get the firewall data into Splunk you will need to configure a port on the Splunk server to listen for UDP or TCP traffic.

http://www.splunk.com/base/Documentation/latest/admin/MonitorNetworkPorts

Next configure the firewall device to direct log traffic to the Splunk server on the specified port

The add-on will rename the sourcetype of your ASA, FWSM and PIX firewall events to cisco_firewall. If you have previously indexed Cisco firewall data and would like to perserve the current sourcetype for reporting purposes you can create an alias in the local directory of this app.

To create a sourcetype alias simply add the following entry to props.conf under the local directory of this app ($SPLUNK_HOME/etc/apps/cisco_firewall_addon/local):

[cisco_firewall] rename = your_current_firewall_sourcetype

The field extractions are set to sourcetype=cisco_firewall which is keyed off of %ASA, %PIX and %FWSM. All of the reports use eventtype=cisco_firewall, the default cisco_firewall eventtype looks for %ASA, %PIX or %FWSM in your data.

The real time and overview dashboards as well as the included searches and reports in this add-on rely on the search: eventtype=cisco_firewall in order to report on firewall data.

There is one scheduled search included in this add-on which creates an cache for the dashboard every 3 hours with a Splunk enterprise license.

To change the schedule you can edit the following search under the manager:

Cisco Firewall - DataCube