All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Cisco Security Suite/Splunk for Cisco Firewalls - input from log file

splunked38
Communicator
‎09-19-2013 03:42 AM

All,

Trying to set up CSC for firewalls but using a local log file as opposed to syslog (it's a proof of concept and we don't want to change FW configs, etc just yet)

What is done so far:

  • Installed CSC and Splunk for Cisco firewalls

  • Created a inputs.conf in the Cisco FW app directory ie: splunk_ciscofirewalls\local:

    [monitor://C:\Firewall\*cisco]

    disabled=false

  • restarted splunk

Splunk grabs the file without issue but the sourcetypes do not appear (not applying the transforms).

Note: we deliberately omitted the sourcetype as we want the app to assign the events to the respective source type as per: http://wiki.splunk.com/Set_up_Splunk_for_Cisco_Firewalls

'Do not specify a source type. The Splunk for Cisco Firewalls add-on automatically assigns source types for your Cisco ASA, FWSM, and PIX firewall events as cisco_asa, cisco_fwsm, and cisco_pix, accordingly.

Questions:

  • Is this possible to do without setting up syslog (I would imagine the answer is yes)?
  • Has anyone set this up successfully?
  • Is there a step missing?
0 Karma
Reply

emotz
Splunk Employee
Splunk Employee
‎09-19-2013 07:04 AM

Yes it is possible, look inside the props/transforms to understand what sourcetype CSS app is expecting and set that in your inputs.conf file after
disabled = false
sourcetype = cisco:asa

Not positive that is the right sourcetype - but it is probably close.

0 Karma
Reply

splunked38
Communicator
‎09-19-2013 07:55 AM

Thanks Emotz, we did that and it appears that it's processing some of the entries, I'll need to verify again tomorrow.

Note, we don't want to assign a sourcetype and would like to get the app to assign (see new note above in original call)

0 Karma
Reply

emotz
Splunk Employee
Splunk Employee
‎09-19-2013 07:13 AM

you would also need to reset your fishbucket if possible without messing everything else up to re-index the same file. Or you could use oneshot? Or you need to add another file to that directory.

If you have to index that exact file - you can also set crcSalt =
in your inputs.conf file and change the name of the file to reindex it.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...