That ww9rivers was my old account here -- I lost that and does not know how to get it back. The short answer is no, Splunk does not support this add-on. Cisco has published multiple new versions after I initially posted my question here. However, the latest version (3.6.3) still get this wrong. Below is my fix (tested in production): $ git diff v3.6.3 diff --git a/default/transforms.conf b/default/transforms.conf index f1f89d8..93334a2 100644 --- a/default/transforms.conf +++ b/default/transforms.conf @@ -192,7 +192,7 @@ REGEX = "user_agent":\s*"([^"]+)" FORMAT = syslog_user_agent::$1 [cisco_asa_log_level_message_id] -REGEX = %(?:ASA|FTD|FMC)(?:-[A-Za-z]+)?-(?P<log_level>\d+)-(?P<message_id>\d+) +REGEX = %(?:ASA|FTD|FMC)-(?:.*?-)?(?P<log_level>\d)-(?P<message_id>\d+) Edit: Had to fix the REGEX again to cover more different formats found. ... View more

Thank you for the response. I think you mean `$SPLUNK_HOME/etc/auth/server.pem`. However, we are using a third-party CA signed cert for the server's web UI. So I cannot let Splunk creating a self-signed cert. In our installations, these files are replaced with appropriate certs and key: etc/auth/cacert.pem etc/auth/server.pem etc/auth/splunkweb/cert.pem etc/auth/splunkweb/privkey.pem   ... View more