Configure a syslog server to send Cisco ASA data to your single-instance Splunk deployment

Configure your syslog server to send data to your single-instance Splunk deployment by completing the following steps:

1. Save a copy of syslog-ng.conf before editing it.
2. Open syslog-ng.conf, and edit it to make configuration changes. The following syslog-ng.conf file shows an example of how incoming events can be separated using regular expression filters. Each unique data source type has a directory created under /home/syslog/logs. Set the create_dirs attribute to yes to create the necessary directories, if they don't already exist:

   # sample syslog-ng configuration file
   #
   #
   options {
   chain_hostnames(no);
   create_dirs (yes);
   dir_perm(0755);
   dns_cache(yes);
   keep_hostname(yes);
   log_fifo_size(2048);
   log_msg_size(8192);
   perm(0644);
   time_reopen (10);
   use_dns(yes);
   use_fqdn(yes);
   };
   source s_network {
   udp(port(514));
   };
   #Destinations
   destination d_cisco_asa { file(“/home/syslog/logs/cisco/asa/$HOST/$YEAR-$MONTH-$DAY-cisco-asa.log” create_dirs(yes)); };
    
   # Filters
   filter f_cisco_asa { match(“%ASA” value(“PROGRAM”)) or match(“%ASA” value(“MESSAGE”)); };
   filter f_all { not (
   filter(f_cisco_asa)
   );
   };
   # Log
   log { source(s_network); filter(f_cisco_asa); destination(d_cisco_asa); };
   log { source(s_network); filter(f_all); destination(d_all); };
   

3. Restart syslog-ng to apply updates:

   sudo systemctl restart syslog-ng.service
   

   For further details on configuring syslog-ng, refer to the syslog-ng installation manual at OneIdentity.com.