Re: Missing pretrained sourcetypes

mpilking2 · ‎08-07-2012

I have a new installation and I have only made a couple of tweaks. Specifically, I added a new props.conf and transforms.conf to /opt/splunk/etc/system/local according to this blog: http://kleinco.com.au/thoughts-events/item/forensic-timeline-splunking

I have a file with a few thousand Cisco ASA firewall syslog entries. I have installed both Splunk for Cisco Firewalls and Splunk for Cisco ASA apps.

I want to index this firewall log file via Data Inputs > Files & Directories > New. When I preview the file, it is not automatically recognized and so I choose "Apply an existing sourcetype", but there is no cisco_syslog (which should be a pretrained option from what I've read) or any other cisco or firewall options.

How do I get the ASA log file data to be parsed correctly? At a minimum, I want to see Timestamp, Source IP, Source Port, Destination IP, Destination Port, and built or denied.

Thanks!

sdaniels · ‎08-08-2012

If you have the Splunk for Cisco ASA app installed you may try skipping the preview and check the "More Settings" checkbox and manually set the sourcetype to what you expect. In order to populate the list the preview app uses, you need to make a configuration change in the current version which is not ideal.

From the app...these are the settings you want for sourcetype and index.

The sourcetype needs to be set to "cisco_asa" and the logs need to be stored in the "firewall" index.

sdaniels · ‎08-08-2012

For the "Set the sourcetype" drop down pick Manual and then manually put in the the cisco_asa sourcetype. That is what exists in the underlying config files.

mpilking2 · ‎08-08-2012

Even when I skip preview and choose More Settings & Firewall index, there still is no "cisco_asa" option from the drop down list of source types.

Missing pretrained sourcetypes

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes