Cisco Firewall addon data source

Can the Cisco Firewall addon be restricted to only analyze data from a specific source or sourcetype?

I have reports from Nagios coming in which contain references that trigger the [cisco_pix] stanza in /opt/splunk/etc/apps/cisco_firewall_addon/default/transforms.conf. These are being incorrectly rewritten with the cisco_firewall sourcetype.

asked 09 Aug '10, 14:24

timbCFCA
141●1●10
accept rate: 0%

One Answer:

oldest newest most voted

Hi, If you look in the default/props.conf directory you will see:

TRANSFORMS-asa=cisco_asa TRANSFORMS-pix=cisco_pix TRANSFORMS-ios=cisco_ios TRANSFORMS-fwsm=cisco_fwsm

Remove these lines, then set the data input for the actual Cisco Pix firewall to cisco_firewall. This will prevent other things from getting source-typed when it matches %PIX.

link

answered 10 Aug '10, 00:50

Will Hayes ♦
3.1k●9●9●19
accept rate: 16%

Will, Thanks. One other thing proved useful - I updated the TRANSFORMS-extract = cisco_firewall_hostoverride to TRANSFORMS = syslog-host. Hostname extraction was failing for some reason.

(17 Aug '10, 17:09) timbCFCA

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

sourcetype ×250
firewall ×56

Asked: 09 Aug '10, 14:24

Seen: 1,269 times

Last updated: 10 Aug '10, 00:50

Cisco Firewall addon data source

Follow this question

Splunk Resources

Related questions