Splunk Search

SYS logging an ASA

bazcurtis
Explorer

Hi,

I have installed the Cisco Security suite and Cisco Firewall apps. I have setup UDP port 514 and told the ASA to send the logs to the Splunk server, but I see no data. What have I missed that I have no ASA data in Splunk?

Any help would be most welcome.

Best wishes

Michael

bazcurtis
Explorer

Hi,

Thanks for replying. I deleted the 514 udp port, restarted and then remade the 514 from within Splunk Cisco Firewalls.

I now have data coming into Splunk. What is the best level of logging to set on ASA. Is Information enough? I understand I could generate huge amounts of logs if I wanted to, but what level do most people think is a balance?

Best wishes

Michael

0 Karma

dwaddle
SplunkTrust
SplunkTrust

We run our ASA's in DEBUG logging because that is where the various connection opened / closed messages are logged. And, yes, it does generate substantial data. All of our firewalls (not all splunked at this time unfortunately) generate nearly 10GB/day of logs.

0 Karma

dwaddle
SplunkTrust
SplunkTrust

You could be having firewall issues, if your host running Splunk is also running a firewall (iptables / Windows Defender / etc). You need to make sure UDP:514 is open on your Splunk indexer from a firewall perspective. Also check the output of netstat to make sure that Splunk is listening on port 514. (You did restart Splunk didn't you?)

If this doesn't work out, please update your question with output of show logging on the ASA, as well as your Splunk inputs.conf file and someone will be able to further assist. The easiest way of getting the inputs.conf would be to do a splunk cmd btool --debug inputs list.

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...