Splunk® Enterprise

Add Cisco ASA data: Splunk Cloud

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Configure the Splunk Add-on for Cisco ASA on your Splunk Cloud platform deployment

To add inputs from network ports to your Splunk Cloud deployment, navigate to your deployment's universal forwarder and complete the following steps:

Add a network input using the CLI

To access the Splunk Enterprise CLI, navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command.

If you get stuck, the CLI has help. Access the main CLI help by typing splunk help. Individual commands have their own help pages as well and can be accessed by typing splunk help <command>.

The following CLI commands are available for network input configuration:

Command Command syntax Action
add add tcp|udp <port> [-parameter value] ... Add inputs from <port>.
edit edit tcp|udp <port> [-parameter value] ... Edit a previously added input for <port>.
remove remove tcp|udp <port> Remove a previously added data input.
list list tcp|udp [<port>] List the currently configured monitor.

The <port> is the port number on which to listen for data. The user you run Splunk as must have access to this port.

You can modify the configuration of each input by setting any of these additional parameters:

Parameter Required? Description
sourcetype No Specify a sourcetype field value for events from the input source.
index No Specify the destination index for events from the input source.
hostname No Specify a host name to set as the host field value for events from the input source.
remotehost No Specify an IP address to exclusively accept data from.
resolvehost No Set to true or false (T | F). Default is False. Set to true to use DNS to set the host field value for events from the input source.
restrictToHost No Specify a host name or IP address that this input should accept connections from only.


  • Configure a UDP input to watch port 514 and set the source type to "syslog":
     ./splunk add udp 514 -sourcetype syslog
  • Set the UDP input host value via DNS. Use auth with your username and password:
     ./splunk edit udp 514 -resolvehost true -auth admin:changeme

For information on best practices for using UDP, see Best practices for configuring Syslog input in the Community Wiki.

See the Cisco documentation for information on how to log specific events in your Cisco ASA deployment.

Last modified on 07 December, 2018
Install the Splunk Add-on for Cisco ASA on to your Splunk Cloud deployment
Configure system logging on your Cisco ASA device

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters