Cisco FTD not parsing and TA Doc Issues

[harv-qq]

states ASA TA will sort FTD as well

states FTD will assign a sourcetype of cisco:ftd

The Cisco ASA TA has no reference for any sourcetype apart from cisco:asa

Additional to this we have added the key to splunk_metadata.csv etc:

cisco_ftd,index,blahblah

Logs end up a mix between cisco:asa and lastchance with sc4s:fallback

Logs start %FTD-* etc and are standard

sc4s version=3.21.0

**Is there a pcap available? no due to security reasons

[harv-qq]

is there an update on this?

[cwadhwani-splunk]

Hi @harv-qq
We have looked into the issue and here are a couple points regarding the logs not getting classified into cisco:ftd:

1. The parser is written in such a way that if the log message will start from "%FTD-" and will have "430003" in it, the log will be classified into cisco:ftd source type. But if the log message starts with "%FTD-" but does not have "430003" in it, the log will be classified into cisco:asa source type.
   Could you please check the logs that are being classified in cisco:asa contains "430003" in it or not. If feasible, please send us a sample log.

2. Could you please send us some sample logs for the logs that are being classified into sc4s:fallback? This will help us to futher debug this issue.

Note: You can send the sample logs over email to cwadhwani@splunk.com

Regarding The Cisco ASA TA has no reference for any sourcetype apart from cisco:asa, I am looking into this.