Hey Jim,
I am guessing that you haven't pointed your incoming logs to go to the 'firewall' index. Either that or you forcing your sourcetype is being done incorrectly.
Can you please show me your inputs.conf, props.conf and transforms.conf
If you are just recieving ASA syslog on port udp514 and firewall data ONLY you could easily do it like this;
[udp://514]
index=firewall
sourcetype=cisco_asa
If you have other data coming on port 514 you need to force the sourcetype based on regex on a special word for example the %ASA-* keyword. You need to do this in props/transforms. You can find examples on how to do this in the doc and here on answers.
Thanks for downloading the app 🙂
... View more