Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

SYS logging an ASA

bazcurtis
Explorer
‎07-12-2011 11:28 AM

Hi,

I have installed the Cisco Security suite and Cisco Firewall apps. I have setup UDP port 514 and told the ASA to send the logs to the Splunk server, but I see no data. What have I missed that I have no ASA data in Splunk?

Any help would be most welcome.

Best wishes

Michael

Reply

bazcurtis
Explorer
‎07-18-2011 10:02 AM

Hi,

Thanks for replying. I deleted the 514 udp port, restarted and then remade the 514 from within Splunk Cisco Firewalls.

I now have data coming into Splunk. What is the best level of logging to set on ASA. Is Information enough? I understand I could generate huge amounts of logs if I wanted to, but what level do most people think is a balance?

Best wishes

Michael

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎07-18-2011 01:20 PM

We run our ASA's in DEBUG logging because that is where the various connection opened / closed messages are logged. And, yes, it does generate substantial data. All of our firewalls (not all splunked at this time unfortunately) generate nearly 10GB/day of logs.

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎07-12-2011 01:06 PM

You could be having firewall issues, if your host running Splunk is also running a firewall (iptables / Windows Defender / etc). You need to make sure UDP:514 is open on your Splunk indexer from a firewall perspective. Also check the output of netstat to make sure that Splunk is listening on port 514. (You did restart Splunk didn't you?)

If this doesn't work out, please update your question with output of show logging on the ASA, as well as your Splunk inputs.conf file and someone will be able to further assist. The easiest way of getting the inputs.conf would be to do a splunk cmd btool --debug inputs list.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

To help practitioners build a stronger foundation, we launched the Data Management & Federation ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...