![]() Configure this server to receive all the syslog and write it out to local disk. Heres the cisco asa logs I have coming in broken down by eventypeciscovpnstart and ciscovpnend. The Splunk for Cisco Firewalls add-on allows you to consume, analyze, and report on Cisco firewall data for Cisco ASA, PIX and FWSM firewalls. ![]() The better way to do this, however, is to run a syslog server separate from Splunk (e.g. Logging class svc: Logs events related to Anyconnect connections. Logging class DAP: Logs the events related to the Dynamic Access Policy for the VPN client. Logging class csd: Logs the events related to the Cisco Secure Desktop and Hostscan. You will have to deploy these files to your indexers (or heavy forwarder) and it will NOT change anything that is already in Splunk. If it's only cisco:asa coming in on UDP 514, simply change the line in the nf to sourcetypecisco:asa. Logging class ca: Useful for certificate authentication problems on Site-to-Site and Anyconnect. TRANSFORMS-cisco_sourcetype_overrides = set_sourcetype_cisco_asa set_sourcetype_cisco_ise If you go with the former, then you can do a sourcetype override like this: If you go with the latter, then do just as said, but have 2 different ports. sourcetypeopsec OR sourcetypecisco:asa) earliest-1h. If the answer given by doesn't work (and I expect it won't but I give him karma for a clever option to try), then you will have to either give up your goal to have each in a separate index or on your goal to have them both come to the same port. Splunk has thousands of applications available on Splunkbase, where you can find.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |