Splunk® Enterprise

Add Cisco ASA data: Distributed deployment with indexer clustering

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Configure the Splunk Add-on for Cisco ASA on your Splunk platform deployment

To add inputs from network ports, complete the following steps:

Add a network input using Splunk Web

  1. Click the Add Data link in Splunk Home.
  2. Click Monitor to monitor a network port on the local machine, or Forward to receive network data from another machine.
  3. If you selected Forward, choose or create the group of forwarders you want this input to apply to.
  4. Click Next.

Specify the network input

  1. In the left pane, click TCP / UDP to add an input.
  2. Click the TCP or UDP button to choose between a TCP or UDP input.
  3. In the Port field, enter a port number.
  4. Consult Splunk Support before changing the Source name override value.
  5. If this is a TCP input, specify whether this port will accept connections from all hosts or only one host in the Only accept connections from field. If you only want the input to accept connections from one host, enter the host name or IP address of the host. You can use wildcards to specify hosts.
  6. Click Next to continue to the Input Settings page.

Specify input settings

The Input Settings page lets you specify source type, application context, default host value, and index. All of these parameters are optional.

  1. Set the Source type. Source type is a default field that Splunk Enterprise adds to events and uses to determine processing characteristics, such as timestamps and event boundaries. See the below table to identify applicable sourcetypes.
  2. Set the Host name value. Host only sets the host field in the resulting events. It does not direct Splunk Enterprise to look on a specific host on your network. You have several choices:
    1. IP. Sets the input processor to rewrite the host with the IP address of the remote server.
    2. DNS. Sets the host to the DNS entry of the remote server.
    3. Custom. Sets the host to a user-defined label.
  3. Set the Index that Splunk Enterprise sends data to for this input. Leave the value as default unless you have defined multiple indexes to handle different types of events. In addition to indexes for user data, Splunk Enterprise has a number of utility indexes, which also appear in this dropdown box.
  4. Click Review.

Review your choices

After specifying all of your input settings, review your selections. Splunk Enterprise lists the options you selected, including the type of monitor, the source, the source type, the application context, and the index.

  1. Review the settings.
  2. If they are not what you want, click < to go back to the previous step in the wizard. Otherwise, click Submit.

Splunk Enterprise then loads the "Success" page and begins indexing the specified network input.

See the Cisco documentation for information on how to log specific events in your Cisco ASA deployment.

Sourcetypes for the Splunk Add-on for Cisco ASA

The Splunk Add-on for Cisco ASA provides the following source types:

Source type Event type CIM data models
cisco:asa cisco_authentication Authentication
cisco_authentication_privileged Authentication
cisco_connection Network Traffic
cisco_intrusion Intrusion Detection
cisco_vpn Network Sessions
cisco_vpn_start Network Sessions
cisco_vpn_end Network Sessions
cisco_asa_network_sessions Network Sessions
cisco_asa_configuration_change Change
cisco_asa_endpoint_processes Endpoint
cisco_asa_endpoint_filesystem Endpoint
cisco_asa_certificates Certificates
cisco_asa_network_resolution Network Resolution (DNS)
Last modified on 29 June, 2020
Install the Splunk Add-on for Cisco ASA on to your Splunk platform deployment
Configure system logging on your Cisco ASA device

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters