Getting Data In
Highlighted

Missing pretrained sourcetypes

New Member

I have a new installation and I have only made a couple of tweaks. Specifically, I added a new props.conf and transforms.conf to /opt/splunk/etc/system/local according to this blog: http://kleinco.com.au/thoughts-events/item/forensic-timeline-splunking

I have a file with a few thousand Cisco ASA firewall syslog entries. I have installed both Splunk for Cisco Firewalls and Splunk for Cisco ASA apps.

I want to index this firewall log file via Data Inputs > Files & Directories > New. When I preview the file, it is not automatically recognized and so I choose "Apply an existing sourcetype", but there is no cisco_syslog (which should be a pretrained option from what I've read) or any other cisco or firewall options.

How do I get the ASA log file data to be parsed correctly? At a minimum, I want to see Timestamp, Source IP, Source Port, Destination IP, Destination Port, and built or denied.

Thanks!

0 Karma
Highlighted

Re: Missing pretrained sourcetypes

Splunk Employee
Splunk Employee

If you have the Splunk for Cisco ASA app installed you may try skipping the preview and check the "More Settings" checkbox and manually set the sourcetype to what you expect. In order to populate the list the preview app uses, you need to make a configuration change in the current version which is not ideal.

From the app...these are the settings you want for sourcetype and index.

The sourcetype needs to be set to "cisco_asa" and the logs need to be stored in the "firewall" index.

0 Karma
Highlighted

Re: Missing pretrained sourcetypes

New Member

Even when I skip preview and choose More Settings & Firewall index, there still is no "cisco_asa" option from the drop down list of source types.

0 Karma
Highlighted

Re: Missing pretrained sourcetypes

Splunk Employee
Splunk Employee

For the "Set the sourcetype" drop down pick Manual and then manually put in the the cisco_asa sourcetype. That is what exists in the underlying config files.

0 Karma