Can anybody tellme how should my asa be configured in order to receive data into splunk ? what I mean is... my splunk configuration seems to be ok nevertheless I see no indexed data, therefore i think there must be something wrong in my asa, i've told it to send syslogs to my splunk server, and since i see info by wikisyslog I assume the data is getting there but I cant get it into index.
Thanks a lot in advance !!
Hope it's not too late to chime in here. It's mostly in the ASA logging configuration.
Enable Logging, set a logging host, and set your list.
Example configuratino here:
logging enable
logging timestamp
logging host [interface] [forwarder address or indexer] - Example[logging host inside 10.0.0.5]
logging list cisco message 111009
logging list cisco message 111008
logging list cisco message 304009
logging trap cisco[cisco is the logging list name]
And that is pretty much it. Make sure you've got an input for udp514 traffic and you should be seeing data provided the Splunk side of things is in shape.