Hi,
I’m running Splunk 6.2 Enterprise on Windows Server 2012 R2 and am sending syslogs from two Cisco ASA firewalls over the default TCP port 1470. Because I don’t want to use a different port for each device that sends syslogs to Splunk, I have configured the following in order to assign the correct sourcetype and index:
Props.conf
[host::192.168.5.2]
TRANSFORMS-firewall_cisco = set_index_firewall_cisco_asa, set_sourcetype_firewall_cisco_asa
[host::192.168.6.2]
TRANSFORMS-firewall_cisco = set_index_firewall_cisco_asa, set_sourcetype_firewall_cisco_asa
Transforms.conf
[set_index_firewall_cisco_asa]
DEST_KEY = _MetaData:Index
FORMAT = firewall_cisco
REGEX = .
[set_sourcetype_firewall_cisco_asa]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::cisco:asa
REGEX = .
The firewall logs are searchable from within Spunk using an index="firewall_cisco" search, but here’s the problem:
I have installed the ‘Cisco Security Suite’ app and the ‘Splunk Add-on for Cisco ASA’, but nothing is showing up on the Cisco Security Suite Overview dashboard - and I'd like it to.
Could someone confirm that a.) my config makes sense and b.) give me a clue as to why the Cisco dashboard isn’t picking up on the collected logs?
Thanks,
... View more