Re: Pulling Cisco Firewall add-on data

aalborz · ‎08-01-2012

How do I direct a Cisco firewall's syslog data into Splunk?
I don't know much about Cisco, so I'm looking for step-by-step instructions.

TIA

Alex

tgow · ‎08-01-2012

This is quite easy to do. You will need to configure the Cisco Firewall to send the syslog data via a port using either UDP or TCP. Whatever port that you send the data on needs to be opened on the Splunk server. How to configure a Cisco firewall depends on the type (PIX, ASA, etc.). Here is a good article that should help you get going:

http://www.ciscopress.com/articles/article.asp?p=426638&seqNum=3

Now once you have configured the firewall to send syslog data back to your Splunk Indexer's ip address then you just need to open up the data input for listening on that port, for instance if you picked UDP/514 then you need to open up port 514 using the UDP data input (Manager-->Data Inputs-->UDP) on your Splunk Indexer.

Here is a good link to information on that:

http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/Monitornetworkports

aalborz · ‎08-02-2012

Thanks. The Cisco Press link doesn't have any instructions about configuring this on an ASA firewall.
Should I use the same instructions as for PIX?

Pulling Cisco Firewall add-on data

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation