Getting Data In

If I have multiple Cisco devices sending syslog directly to Splunk with the same source and sourcetype, how do I view them separately?

mi5cyberninja
New Member

Although we have multiple threads related to this topic, none are useful and confusing for newbies like me.

I have multiple Cisco devices (Routers, ASA firewall, ACS server) and all are sending syslog info directly to Splunk.

I'd really feel grateful if anybody can give step by step recommendation on how to view them separately?.

I am confused especially when the sourcetype and source are showing cisco:asa for all the devices that is being searched (say for example, i m looking logs for SMTP relay and it is showing sourcetype as ASA)

Please help me friends!

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

This is most likely because all of your devices are sending to the UDP input on the Splunk server, and you have that UDP input configured as cisco:asa. There are a few options to change this:

1) Create different UDP inputs for each device type:
UDP/514 = cisco:asa
UDP/515 = cisco:ios
UDP/515 = cisco:acs
UDP/516 = myunixsyslogfeeds

2) Alternatively, you can configure props and transforms to assign the sourcetype based on a match against the host content.

See this article for more information : http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Advancedsourcetypeoverrides

If you do either of the above, then at search time you can specifcy sourcetype=cisco:asa or sourcetype=cisco:acs etc.

0 Karma

Sloefke
Path Finder

Or even better, install the technology addons for Cisco ASA and ACS, most of it works just fine out of the box 🙂
If you're using a distributed environment, install them on your forwarders.

https://apps.splunk.com/app/1620/
https://apps.splunk.com/app/1811/

0 Karma

mi5cyberninja
New Member

@esix_splunk : OK, 1st option is good but still I would like to choose second option:

The document says:

Create a stanza in transforms.conf that follows this syntax:

[] - my value here is cisco_acs & SMTP
REGEX = -
FORMAT = sourcetype:: -
DEST_KEY = MetaData:Sourcetype

Could you please decode the above stanza for cisco acs and SMTP relay logs?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

You'd be better to start a new thread and ask the community for help in that manner.

 

Also, look at the Cisco IOS and ASA TA's that have all the extractions in place. You most likely can find the solution there.

0 Karma

tachifelix
Path Finder

in search and repporting app
build 3 search:
1 with source=first source file who is in your index and save it like eventype Routers

    index=my_index source=first_source_name 

2 index=my_index source=second_source_name save it like eventype asa_firewall
3index=my_index source=third_source_name save it like eventype acs_server

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...