Splunk® Enterprise

Add Cisco ASA data: Splunk Cloud

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Install the Splunk Add-on for Cisco ASA on to your Splunk Cloud deployment

Prerequisites

  • The Cisco ASA device can use TCP as the syslog transport, and can maintain an open TCP port with the syslog-ng server.
  • Do not place a load balancer between the ASA and the syslog server.
  • Implement the following DNS configurations:
    • For each IP address assigned for management of the ASA, ensure both address (A) records and record route (R) records exist and match.
    • For each egress NAT address assigned to the device, ensure A and R records exist and match.
    • For each ingress NAT address assigned to the device, ensure the R record matches the internal destination A. The A record for this IP is not required.
  • Download the Splunk Add-on for Cisco ASA on Splunkbase.


Install on your Splunk Cloud deployment using self-service

Install an add-on on search heads and indexers in a Splunk Cloud deployment using the self-service app install process.

In Splunk Cloud deployments, inputs must be configured on forwarders under your control.

  1. In the Splunk Web home page, click the gear icon next to Apps.
  2. Click Install Apps.
  3. Select Install to install the add-on. If the add-on that you want is not listed, or if the add-on indicates self-service installation is not supported, contact Splunk Support.
  4. Complete the installation. When you install an add-on with declared dependencies, Splunk Cloud automatically resolves its dependencies through Splunkbase. To learn more about declaring dependencies, see the Splunk Packaging Toolkit


Install on forwarders

Prepare the Splunk Add-on for Cisco ASA package for installation in a Splunk Cloud deployment

Before deploying the Splunk Add-on for Cisco ASA in a Splunk Cloud deployment, make the following changes to the Cisco ASA add-on package:

  • Remove the eventgen.conf files.
  • Remove all files in the samples folder.


Install an add-on on to your forwarders using a deployment server

Use your deployment server to distribute content and configurations (collectively called deployment apps) to deployment clients, grouped into server classes. Deployment apps can be full-fledged apps, such as those available on Splunkbase, or they can be just simple groups of configurations.

Deploy an add-on to your deployment clients

  1. On your deployment server, navigate to $SPLUNK_HOME/etc/deployment-apps/.
  2. Add your add-on to the /deployment-apps/ directory.
  3. Extract the add-on.
  4. Navigate to $SPLUNK_HOME/etc/deployment-apps/<APP NAME>/default/inputs.conf.
  5. Add inputs for the data you want to collect.
  6. Save your changes.
  7. Restart the deployment server: /splunk restart.

View app deployment status

Go to the Apps tab. The tab provides information on the number of clients each app was deployed to. Click on an app to go to a detailed page for that app. The App Data Size field specifies the size of the app bundle. The bundle is a compressed file containing the app. Once a client receives a bundle, it uncompresses it and installs the app in its proper location.

Last modified on 21 October, 2020
Connect your forwarders to your Splunk Cloud deployment   Configure the Splunk Add-on for Cisco ASA on your Splunk Cloud platform deployment

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters