Forums: SplunkApplications: Cisco Security (specifically ASA)

Hello,

I'm pretty new with this software, and I'm in the process to evaluate it as well.
So, our first needs is PIX and ASA logs.

so, I'm using Windows, and I already installed Splunk and the apps as well, mainly the Cisco Security app (with ASA, Ironport together).

well, there is not much information about how configured Splunk about this particular app.

what I did:
- the PIX/ASA are enabled with the logg configuration (this is already working 'cause I was using it with others log analyzers, UDP 514)
- enable port in Splunk - UDP and TCP 514

but nothing appears int the screen..

What I'm missing here??
any help will be greatly appreciated.

Thanks!!

Jose

[Revised on Tue, 16 Mar 2010 14:14:03 -0700]

BTW, I forgot , I did this too as well (as the "Getting Started" says int eh apps menu)

in $SPLUNK_HOME/etc/system/local/props.conf add:

[source::udp:514]
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
TRANSFORMS-cisco=cisco_asa

in $SPLUNK_HOME/etc/system/local/transforms.conf add:

[cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = (%ASA)
FORMAT = sourcetype::cisco_asa

Just that in my case (WINDOWS) I did in :

c:\program files\Splunk\etc\system\default (for both)

THANKS!

Well, you really should have made the config changes in "local", not default, but it should still work (it will bite you when to upgrade to a new version).

The problem isn't the cisco app or config. That's only needed for certain types of reporting. To just capture logs and see and search on them, all you *should* need is for port 514 in Splunk to be open and listening, which it sounds like you did, and the firewalls need to be sending to the address of the Splunk server. that;s all it should take to just see something in the Splunk main "all data dashboard". Do you have a firewall or anything running? Do you have some other program still holding on to one of those ports?

Thanks for your reply!

Well, now I followed your suggestion, I did the changes in "local" and not in default (BTW, in "local" I had to create those files props.conf and transforms.conf, and then add these lines), So, now that's how it looks like :

PROPS.conf

[source::udp:514]
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
TRANSFORMS-cisco=cisco_asa

[source::udp:514]
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
TRANSFORMS-cisco=cisco_pix

(I just created other one call "cisco_pix" just in case)

TRANSFORMS.conf

[cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = (%ASA)
FORMAT = sourcetype::cisco_asa

[cisco_pix]
DEST_KEY = MetaData:Sourcetype
REGEX = (%PIX)
FORMAT = sourcetype::cisco_pix

and there is no other softwares using that port (I stopped the services for them)..any ideas?

Right now, I'm testing with a PIX devices, from different IOS version, 6.3/7/8.0 and then I'm going to test using ASA...

Now, this apps it should work with PIX and ASA, isnt? or maybe I'm trying to do something that it wont work with PIXs??

Thanks!

Jose

Closing this case!
I`m going to try with Linux..CentOS...

Thanks!

Jose

I have just installed this app on my splunk server but I am not seeing anything in the app. I do see my ASA is reporting to splunk in the general search app but not the Cisco Security App. Any ideas?

I am also having issues getting our Cisco IPS to report to Splunk.

Please help

Hi, For the Cisco IPS please see the latest Cisco IPS add-on on Splunkbase.

http://www.splunkbase.com/apps/All/4.x/Add-On/app:Cisco+IPS+SDEE+Data+Collector