Skip to content

ASA/FTD (Firepower)

Key facts

  • Note Splunk “ASA” TA is also used for FTD appliances
  • MSG Format based filter
  • None conformant legacy BSD Format default port 514

Links

Ref Link
Splunk Add-on for ASA (No long supports FWSM and PIX) https://splunkbase.splunk.com/app/1620/
Cisco eStreamer for Splunk https://splunkbase.splunk.com/app/1629/
Product Manual https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_syslog.html

Sourcetypes

sourcetype notes
cisco:asa cisco FTD Firepower will also use this source type except those noted below
cisco:ftd cisco FTD Firepower will also use this source type except those noted below
cisco:fwsm Splunk has
cisco:pix cisco PIX will also use this source type except those noted below
cisco:firepower:syslog FTD Unified events see https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide.pdf

Sourcetype and Index Configuration

key sourcetype index notes
cisco_asa cisco:asa netfw none
cisco_fwsm cisco:fwsm netfw none
cisco_pix cisco:pix netfw none
cisco_firepower cisco:firepower:syslog netids none
cisco_ftd cisco:ftd netfw none

Source Setup and Configuration

  • Follow vendor configuration steps per Product Manual above ensure:
  • Log Level is 6 “Informational”
  • Protocol is TCP/IP
  • permit-hostdown is on
  • device-id is hostname and included
  • timestamp is included