The trick with any application and field extraction is that you have to match the sourcetype (set when the data reaches the indexer, and pretty much immutable after that) to whatever they're expecting. Splunk uses the sourcetype of data as one of the primary means of identifying what rules and regexes to use for field extraction. IIRC, this application wants the sourcetype (to find fields such as src / dest IPs) to be cisco_asa.
At present, it sounds like you're logging directly from the device to a syslog stream over UDP to the Splunk indexer or forwarder. What you'll want to do is ensure that you remap the sourcetypes before it goes to the indexer. This is done with a combination of props.conf and transforms.conf. The Splunk for Cisco Firewalls app will attempt to remap any(!) data coming in to the cisco_asa sourcetype with this bit of config:
[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = %ASA-\d+-\d+
FORMAT = sourcetype::cisco_asa
If your log events don't have a string like "%ASA-0-1" or similar in them, this transform won't be applied to change the sourcetype of the data to cisco_asa.
If you don't have any data coming in where the sourcetype is cisco_asa (hint: search for sourcetype=cisco_asa ), then you'll want to track down why these rules aren't being applied. You've said that your sourcetype is currently set to syslog, and that's coming from your inputs.conf. If there's only Cisco ASA hosts logging to your collector via syslog port 514, you can force the sourcetype by changing your inputs.conf.
Otherwise, you'll want to make sure that the app's rules for remapping the type are being applied. Ask Splunk what the complete set of rules for the "syslog" sourcetype are:
/path/to/splunk/bin/splunk cmd btool props list syslog
You should see an entry like this (from Splunk for Cisco Firewalls):
TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_pix, force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_wap, force_sourcetype_for_cisco_fwsm, force_sourcetype_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catchall
Beyond that, we're talking about triaging some stuff specific to your environment, but hopefully this will give you a leg up on figuring out what's going on.
... View more