Can the Cisco Firewall addon be restricted to only analyze data from a specific source or sourcetype?
I have reports from Nagios coming in which contain references that trigger the [cisco_pix] stanza in /opt/splunk/etc/apps/cisco_firewall_addon/default/transforms.conf. These are being incorrectly rewritten with the cisco_firewall sourcetype.
asked 09 Aug '10, 14:24
Hi, If you look in the default/props.conf directory you will see:
TRANSFORMS-asa=cisco_asa TRANSFORMS-pix=cisco_pix TRANSFORMS-ios=cisco_ios TRANSFORMS-fwsm=cisco_fwsm
Remove these lines, then set the data input for the actual Cisco Pix firewall to cisco_firewall. This will prevent other things from getting source-typed when it matches %PIX.
answered 10 Aug '10, 00:50
Will Hayes ♦