For starters these instructions are for the CSA not the ASA. CSA is the Client Security Agent. What you want is the Cisco Firewall Add-on found here:
Unpack that archive into SPLUNK_HOME/etc/apps/ restart Splunk, point your firewall to the port you specified in data inputs and off you go.
Thanks for the colorful commentary, it brightened my day 🙂
What the hell does this all mean? This is ridiculous for starters. I have spent over an hour trying to get Splunk to work with the ASA. I could have installed a linux machine and easily activated syslog by now. I'm rather disappointed with Splunk. What does all this data mean and why is it so hard to find a clear reference to all this? So much technical gibberish with no reference as to what it means. What a waste.
To install this add-on, unpack this file into $SPLUNK_HOME/etc/apps and restart.
The field extractions are set to sourcetype=cisco_csa there is also a host extraction for the clients name that requires a sourcetype of cisco_csa. The Reports use eventtype=cisco_csa. By default this eventtype is created with the search = sourcetype=cisco_csa.
If you already have the CSA log indexed under a different sourcetype you will need to update the props.conf and eventtypes.conf files in the local directory of this app.
In props.conf create the following entry, replacing the stanza name with your CSA sourcetype:
TRANSFORMS = csa_hostoverride
REPORT-extract = csafields
SHOULD_LINEMERGE = false
In eventtypes.conf create the following entry, replacing the search terms with your CSA sourcetype:
tags = cisco client_security
The sample reports in this add-on rely on the search: eventtype=cisco_csa in order to report on CSA data. There is one scheduled search included in this add-on which creates an cache for the dashboard every 3 hours with a Splunk enterprise license. To change the schedule you can edit the following search under the manager:
Cisco Client Security Agent - DataCube