Configure the Splunk Add-on for Cisco ASA on your Splunk platform deployment
To add inputs from network ports, complete the following steps:
Add a network input using Splunk Web
- Click the Add Data link in Splunk Home.
- Click Monitor to monitor a network port on the local machine, or Forward to receive network data from another machine.
- If you selected Forward, choose or create the group of forwarders you want this input to apply to.
- Click Next.
Specify the network input
- In the left pane, click TCP / UDP to add an input.
- Click the TCP or UDP button to choose between a TCP or UDP input.
- In the Port field, enter a port number.
- Consult Splunk Support before changing the
Source name override
value. - If this is a TCP input, specify whether this port will accept connections from all hosts or only one host in the
Only accept connections from
field. If you only want the input to accept connections from one host, enter the host name or IP address of the host. You can use wildcards to specify hosts. - Click Next to continue to the Input Settings page.
Specify input settings
The Input Settings page lets you specify source type, application context, default host value, and index. All of these parameters are optional.
- Set the
Source type
. Source type is a default field that Splunk Enterprise adds to events and uses to determine processing characteristics, such as timestamps and event boundaries. See the below table to identify applicable sourcetypes. - Set the
Host
name value. Host only sets the host field in the resulting events. It does not direct Splunk Enterprise to look on a specific host on your network. You have several choices:- IP. Sets the input processor to rewrite the host with the IP address of the remote server.
- DNS. Sets the host to the DNS entry of the remote server.
- Custom. Sets the host to a user-defined label.
- Set the
Index
that Splunk Enterprise sends data to for this input. Leave the value asdefault
unless you have defined multiple indexes to handle different types of events. In addition to indexes for user data, Splunk Enterprise has a number of utility indexes, which also appear in this dropdown box. - Click Review.
Review your choices
After specifying all of your input settings, review your selections. Splunk Enterprise lists the options you selected, including the type of monitor, the source, the source type, the application context, and the index.
- Review the settings.
- If they are not what you want, click < to go back to the previous step in the wizard. Otherwise, click Submit.
Splunk Enterprise then loads the "Success" page and begins indexing the specified network input.
See the Cisco documentation for information on how to log specific events in your Cisco ASA deployment.
Sourcetypes for the Splunk Add-on for Cisco ASA
The Splunk Add-on for Cisco ASA provides the following source types:
Source type | Event type | CIM data models |
---|---|---|
cisco:asa
|
cisco_authentication
|
Authentication |
cisco_authentication_privileged
|
Authentication | |
cisco_connection
|
Network Traffic | |
cisco_intrusion
|
Intrusion Detection | |
cisco_vpn
|
Network Sessions | |
cisco_vpn_start
|
Network Sessions | |
cisco_vpn_end
|
Network Sessions | |
cisco_asa_network_sessions
|
Network Sessions | |
cisco_asa_configuration_change
|
Change | |
cisco_asa_endpoint_processes
|
Endpoint | |
cisco_asa_endpoint_filesystem
|
Endpoint | |
cisco_asa_certificates
|
Certificates | |
cisco_asa_network_resolution
|
Network Resolution (DNS) |
Install the Splunk Add-on for Cisco ASA on to your Splunk platform deployment | Configure system logging on your Cisco ASA device |
This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10
Feedback submitted, thanks!