You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi @harv-qq
We have looked into the issue and here are a couple points regarding the logs not getting classified into cisco:ftd:
The parser is written in such a way that if the log message will start from "%FTD-" and will have "430003" in it, the log will be classified into cisco:ftd source type. But if the log message starts with "%FTD-" but does not have "430003" in it, the log will be classified into cisco:asa source type.
Could you please check the logs that are being classified in cisco:asa contains "430003" in it or not. If feasible, please send us a sample log.
Could you please send us some sample logs for the logs that are being classified into sc4s:fallback? This will help us to futher debug this issue.
states ASA TA will sort FTD as well
states FTD will assign a sourcetype of cisco:ftd
The Cisco ASA TA has no reference for any sourcetype apart from cisco:asa
Additional to this we have added the key to splunk_metadata.csv etc:
cisco_ftd,index,blahblah
Logs end up a mix between cisco:asa and lastchance with sc4s:fallback
Logs start %FTD-* etc and are standard
sc4s version=3.21.0
**Is there a pcap available? no due to security reasons
The text was updated successfully, but these errors were encountered: