Configure a syslog server to send Cisco ASA data to your single-instance Splunk deployment

Configure your syslog server to send data to your single-instance Splunk deployment by completing the following steps:

Save a copy of syslog-ng.conf before editing it.

Open syslog-ng.conf, and edit it to make configuration changes. The following syslog-ng.conf file shows an example of how incoming events can be separated using regular expression filters. Each unique data source type has a directory created under /home/syslog/logs. Set the create_dirs attribute to yes to create the necessary directories, if they don't already exist:

# sample syslog-ng configuration file
#
#
options {
chain_hostnames(no);
create_dirs (yes);
dir_perm(0755);
dns_cache(yes);
keep_hostname(yes);
log_fifo_size(2048);
log_msg_size(8192);
perm(0644);
time_reopen (10);
use_dns(yes);
use_fqdn(yes);
};
source s_network {
udp(port(514));
};
#Destinations
destination d_cisco_asa { file(“/home/syslog/logs/cisco/asa/$HOST/$YEAR-$MONTH-$DAY-cisco-asa.log” create_dirs(yes)); };
 
# Filters
filter f_cisco_asa { match(“%ASA” value(“PROGRAM”)) or match(“%ASA” value(“MESSAGE”)); };
filter f_all { not (
filter(f_cisco_asa)
);
};
# Log
log { source(s_network); filter(f_cisco_asa); destination(d_cisco_asa); };
log { source(s_network); filter(f_all); destination(d_all); };

Restart syslog-ng to apply updates:
```
sudo systemctl restart syslog-ng.service
```
For further details on configuring syslog-ng, refer to the syslog-ng installation manual at OneIdentity.com.

Configure a syslog server to send Cisco ASA data to your single-instance Splunk deployment

Comments

Was this topic useful?