Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Cisco FMC/FTD log parsing issue

AShwin1119
Explorer
2 weeks ago

We are collecting logs from the Cisco FMC/FTD endpoint into Splunk via syslog. However, after onboarding, the logs are not being parsed correctly. Request your assistance in identifying the appropriate log parsing app or suggesting a suitable solution to resolve this issue.

Tags (1)
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
2 weeks ago

Hi @AShwin1119 

What mechanism are you using for your syslog ingestion? Are you using Splunk tcp/udp input, Splunk Connect for Syslog (SC4S) or something else (eg rsyslog/syslogng)?

The docs (https://www.cisco.com/c/en/us/td/docs/security/cisco-secure-cloud-app/user-guide/cisco-security-clou...) for the Cisco Security Cloud app show that in a distributed environment you need to install the app on your Splunk Cloud SH. 

The docs discuss how to configure the inputs for specific products so please check the link above for more info on how to ingest your specific logs.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

Reply

shashankD
Explorer
2 weeks ago

Configure SC4S in your environment, and manually you can manually configure the parser for the cisco related logs from the Splunk SC4S github, you just need to copy paste the parser and the logs will start parsing.

SC4S github - Splunk Connect for Syslog

Master srcrpit to configure sc4s - raw.githubusercontent.com/J-C-B/community-splunk-scripts/master/SC4S-Splunk-Connect-for-Syslog-cento...

Do modify the related details.

 

Reply

richgalloway
SplunkTrust
SplunkTrust
2 weeks ago

Which TA(s) are you using?  Splunk is unlikely to parse the logs out-of-the-box so you'll need a TA from Splunkbase or one of your own.  The "Cisco Security Cloud" app (https://splunkbase.splunk.com/app/7404) looks promising.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ashwinisingh
New Member
2 weeks ago

We are using Splunk cloud, we have already install this app on our HF but it is not working, Please confirm if this app can be installed at SH and indexer lever. 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...