Getting Data In

How do I install the Cisco Firewall add-on?

Splunk Employee
Splunk Employee

How do I install and configure the Cisco Firewall add-on: http://www.splunkbase.com/apps/All/4.x/app:Cisco+Firewalls+Add-On

Tags (4)

New Member

On Splunk version 5.0.1, build 143156, this app will not correctly extract time from ASA syslog messages without some tweaking. You will need to modify the app's props.conf file to get it working.

Mine was located here: /opt/splunk/etc/apps/Splunk_CiscoFirewalls/default

You want to modify this:

[ciscofirewall]
MAX
TIMESTAMP_LOOKAHEAD=19

To this:

[ciscofirewall]
MAX
TIMESTAMP_LOOKAHEAD=28

This will fix timestamp extraction and allow your events to show up and be indexed at the correct time.

0 Karma

Explorer

Is there a way to use this app with another index. I have a syslog server which collects all the ASA logs and than a local forwarder on that host sends the data to Splunk. Reason being is that I have 3 indexers and would like to load balance the traffic. Also the search head is not licensed to index that amount of data

0 Karma

Splunk Employee
Splunk Employee

To install this add-on, unpack this file into $SPLUNK_HOME/etc/apps and restart Splunk.

In order to get the firewall data into Splunk you will need to configure a port on the Splunk server to listen for UDP or TCP traffic.

http://www.splunk.com/base/Documentation/latest/admin/MonitorNetworkPorts

Next configure the firewall device to direct log traffic to the Splunk server on the specified port

The add-on will rename the sourcetype of your ASA, FWSM and PIX firewall events to cisco_firewall. If you have previously indexed Cisco firewall data and would like to perserve the current sourcetype for reporting purposes you can create an alias in the local directory of this app.

To create a sourcetype alias simply add the following entry to props.conf under the local directory of this app ($SPLUNK_HOME/etc/apps/cisco_firewall_addon/local):

[cisco_firewall] rename = your_current_firewall_sourcetype

The field extractions are set to sourcetype=cisco_firewall which is keyed off of %ASA, %PIX and %FWSM. All of the reports use eventtype=cisco_firewall, the default cisco_firewall eventtype looks for %ASA, %PIX or %FWSM in your data.

The real time and overview dashboards as well as the included searches and reports in this add-on rely on the search: eventtype=cisco_firewall in order to report on firewall data.

There is one scheduled search included in this add-on which creates an cache for the dashboard every 3 hours with a Splunk enterprise license.

To change the schedule you can edit the following search under the manager:

Cisco Firewall - DataCube

Splunk Employee
Splunk Employee

yes, but how do i fax it nicely?

0 Karma