Getting Data In

Cisco Router ACL Logs - How to Utilize in Cisco Security App?

umpiloto
Engager

Hi All -

Just discovered Splunk, and I must say it's an amazing tool.

I've configured a router to send syslog messages to Splunk, and they are indeed being collected.
I've also installed the Cisco security app along with a few of its sub-apps.
The Cisco firewall app, though, doesn't seem to be able to read any of the data generated by the ACL deny log entries generated by my router. It seems these syslog entries are not in the same format as those which would be generated by a true ASA or PIX firewall. Still, I have all sorts of source IP / port and dest IP / port entries, so there is so much potential here! Any ideas on how I could make my current data readable by the Cisco Security Splunk app would be very much appreciated.

Thanks

cphnetworkguy
New Member

I did like this:
severity=* index=ciscoios vendor_category="IP security"
| stats count(ACL_action) AS Amount BY host,ACL_name,ACL_serviceport,ACL_sourceip,ACL_destinationip,ACL_action
| table host Amount ACL_name,ACL_action,ACL_serviceport,ACL_sourceip,ACL_destinationip

Then you just have make your variables so the match your setup,I have done it like this:
severity=* index=ciscoios vendor_category="IP security"
| stats count(ACL_action) AS Amount BY host,ACL_name,ACL_serviceport,ACL_sourceip,ACL_destinationip,ACL_action
| table host Amount ACL_name,ACL_action,ACL_serviceport,ACL_sourceip,ACL_destinationip

But you need to extract the fiels so they match the names of the variables you use.

0 Karma

tbaschak
Explorer

What you need to do is field extract the same fields from the IOS ACL deny log entries. I've used the following quick rex's in the past to dig info from ACLs.

host="someIOSfirewall" %SEC-6-IPACCESSLOGP | rex field=_raw "list 101 denied (?[a-zA-Z]+) (?\d+.\d+.\d+.\d+)((?\d+)) -> (?\d+.\d+.\d+.\d+)((?\d+))" | chart sparkline count by src_address

host="someIOSfirewall" %SEC-6-IPACCESSLOGP | rex field=_raw "list 101 denied (?[a-zA-Z]+) (?\d+.\d+.\d+.\d+)((?\d+)) -> (?\d+.\d+.\d+.\d+)((?\d+))" | lookup geoip clientip as src_address | chart sparkline count by client_country | sort -count

Just make the field names match what it is expecting, and the type to match, and you'll be set.

0 Karma

tbaschak
Explorer

You'd actually want to do this with a field extraction, but you could test the field extraction with the rex tho.
Something like this in your local/props.conf

[host::x.y.z.b]
EXTRACT-ip_proto,src_address,src_port,etc = "list 101 denied (?[a-zA-Z]+) (?d+.d+.d+.d+)((?d+)) -> (?d+.d+.d+.d+)((?d+))"

You'll need to customize the extracted field names to match.

0 Karma

robinjames
New Member

Thanks for your reply! I was looking for this answer as well... I'm new to this so your answer looks like greek to me, but hopefully can figure it out.

Where would I place rex's like those to have the Cisco Suite pick up those fields?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...