cisco ASA web content filtering and access logs

ranjitbrhm1 · ‎03-18-2018

Hello All, I was following a splunk document for Syslog NG where they were showing how to filter out cisco ASA logs forthe syslog-NG server. Here is what i have followed.
https://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk.html

destination d_cisco_asa { file("/home/syslog/logs/cisco/asa/$HOST/$YEAR-$MONTH-$DAY-cisco-asa.log" create_dirs(yes)); };
log { source(s_network); filter(f_cisco_asa); destination(d_cisco_asa); };
filter f_cisco_asa { match("%ASA" value("PROGRAM")) or match("%ASA" value("MESSAGE")); };

The above is working fine for now. Now i need to filter out the logs for both the content filtering and the access logs. As a matter of fact it would be nice if someone could guide me to all the cisco options there are on the syslog. Currently They seems to be filtered out to my catchall file. Does anyone know how to get the logs filtered in based on cathegories for the cisco asa so that they can be fed into the cisco app in splunk?

laurazeno · ‎03-22-2018

I have all the ASA logs going to a catchall filter then use the Splunk Add-On for Cisco ASA to parse through them. If you make the sourcetype of the catch all folder to "syslog" the transforms in the ASA Add-on will define the sourcetypes, field aliases, etc. for you.

Cisco ASA Add-on https://splunkbase.splunk.com/app/1620/

Hope that helps.

cisco ASA web content filtering and access logs

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming

Are you a member of the Splunk Community?

cisco ASA web content filtering and access logs

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming