Cisco FTD not parsing and TA Doc Issues

[harv-qq]

states ASA TA will sort FTD as well

states FTD will assign a sourcetype of cisco:ftd

The Cisco ASA TA has no reference for any sourcetype apart from cisco:asa

Additional to this we have added the key to splunk_metadata.csv etc:

cisco_ftd,index,blahblah

Logs end up a mix between cisco:asa and lastchance with sc4s:fallback

Logs start %FTD-* etc and are standard

sc4s version=3.21.0

**Is there a pcap available? no due to security reasons

[harv-qq]

is there an update on this?

[cwadhwani-splunk]

Hi @harv-qq We have looked into the issue and here are a couple points regarding the logs not getting classified into cisco:ftd:

1. The parser is written in such a way that if the log message will start from "%FTD-" and will have "430003" in it, the log will be classified into cisco:ftd source type. But if the log message starts with "%FTD-" but does not have "430003" in it, the log will be classified into cisco:asa source type. Could you please check the logs that are being classified in cisco:asa contains "430003" in it or not. If feasible, please send us a sample log.

2. Could you please send us some sample logs for the logs that are being classified into sc4s:fallback? This will help us to futher debug this issue.

Note: You can send the sample logs over email to [email protected]

Regarding The Cisco ASA TA has no reference for any sourcetype apart from cisco:asa, I am looking into this.

[cwadhwani-splunk]

@harv-qq

Although it is documented but unfortunately ASA TA only supports following messages IDs https://docs.splunk.com/Documentation/AddOns/released/CiscoASA/Releasenotes, we will update our doc accordingly, thank you for pointing it out. If you want to update the sourcetype for firepower appliances, it can be easily done using .conf file as mentioned in https://github.com/splunk/splunk-connect-for-syslog/issues/1798, Please let us know if you face any issues to do that. (Note: right now only message ID 430003 is sourcetyped as cisco:ftd as per design)