hi all,
-------- splunk version: 6.1.4 - build:233537 ----------
-------- cisco security suite App Version: 3.0.3 build:100784 ---------
-------- splunk Add-on for Cisco ASA version 3.1.0 ---------
New to Splunk and struggling to get the Cisco Security Suite to log/show events for our ASA kit. Basically I inherited a "test/live" system without documentation and with a VM not working for quite some time.
Recently the Splunk system has been migrated from a VM WIn 2008 R2 to a physical Win 2008 R2 machine and the IP address has been kept the same.
If I go to DATA SUMMARY, I can see data logged up until when I believe the VM was filled up and stopped working.
I have seen couple of threads and it seems that the problem was resolved by editing the props.conf file....
I would appreciate if someone could provide some assistance on where to start troubleshooting this issue.
This is the first 15 lines of file props.conf on path $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local (note that none of the entries are commented on the file)....
sourcetype identification
[source::tcp:514]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
[source::udp:514]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
[syslog]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
########## ASA
... View more