Splunk for Cisco Firewalls (http://apps.splunk.com/app/527) is compatible with Splunk for Enterprise Security.

In the past we had to associate the TA with the ES App so the following may be relevant to this TA. If adding the TA vanilla does not render the events, keep in mind that there is model by which a certain TSIDX is populated by specific apps, based on the TA model. To ensure this TA works with ES you will have to do the following:

1. Provide the appropriate eventtype
2. Associate a tag to the eventtype
3. Share the TA’s content to the Network Protection Domain App.

Here is how to do that:

Provide the appropriate eventtype

Write the following stanza to the file $SPLUNK_HOME/etc/apps/Splunk_CiscoFirewalls/local/eventtypes.conf

[cisco_firewall_communicate]
search = sourcetype="cisco_firewall" action="*"
#tags = communicate

Associate a tag to the eventtype

Write the following stanza to the file $SPLUNK_HOME/etc/apps/Splunk_CiscoFirewalls/local/tags.conf

[eventtype=cisco_firewall_communicate]
communicate = enabled

Share the TA’s content to the Network Protection Domain App.

Add Splunk_CiscoFirewalls into $SPLUNK_HOME/etc/apps/SA-NetworkProtection/metadata/local.meta in SA-NetworkProtection, somewhere among other TAs:

[]
access = read : [ * ], write : [ admin ]
export = system
version = 5.0.3
modtime = 1364401044.633878000
import = DA-ESS-AccessProtection, DA-ESS-EndpointProtection, DA-ESS-IdentityManagement, DA-ESS-NetworkProtection, SA-AccessProtection, SA-AuditAndDataProtection, SA-CommonInformationModel, SA-EndpointProtection, SA-Eventgen, SA-IdentityManagement, SA-NetworkProtection, SA-ThreatIntelligence, SA-Utils, sideview_utils, Splunk_TA_nix, Splunk_TA_windows, SplunkEnterpriseSecuritySuite, TA-airdefense, TA-alcatel, TA-bluecoat, TA-cef, TA-checkpoint, TA-fireeye, TA-flowd, TA-fortinet, TA-ftp, TA-ip2location, TA-juniper, TA-mcafee, TA-ncircle, TA-nessus, TA-nmap, TA-oracle, TA-ossec, TA-paloalto, TA-rsa, TA-sav, TA-sep, TA-snort, TA-sophos, TA-splunk, TA-tippingpoint, TA-trendmicro, TA-websense, search, Splunk_CiscoFirewalls

--

After this there is a bit of housekeeping. We need to add a local override to SplunkEnterpriseSecuritySuite/default/inputs.conf. There is a modular input which automatically adds the import to all appropriate apps. Simply apply the local override and restart.

Here is the default configuration:

## Update the meta-data
[app_imports_update://update_es]
app_regex = (TA-.*)|(Splunk_TA_.*)|(sideview_utils)|(SplunkEnterpriseSecuritySuite)|(DA-.*)|(SA-.*)
apps_to_update = SA-AccessProtection,SA-CommonInformationModel,SA-AuditAndDataProtection,SA-EndpointProtection,SA-IdentityManagement,SA-NetworkProtection,SA-ThreatIntelligence,SA-Utils,SA-Eventgen
disabled = 1

Here would be the local override:

## SplunkEnterpriseSecuritySuite/local/inputs.conf
[app_imports_update://update_es]
app_regex = (TA-.*)|(Splunk_TA_.*)|(sideview_utils)|(SplunkEnterpriseSecuritySuite)|(DA-.*)|(SA-.*)|(Splunk_CiscoFirewalls)

There are some base transforms within the Cisco Security Suite app that you can use to get information out of the ASA logs, but unfortunately, it's not "ready-made" for use with ES. You can bridge the gap with some FIELDALIAS commands in props.conf, coupled with the Splunk Common Information Model docs linked below. Splunk ES uses the Common Information Model to abstract away vendor-specific details about the log events to get at "generic firewall event", "generic malware detection", etc. I'm sorry it's not an easier answer at the moment.

http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/UnderstandandusetheCommonInformationMode...