Getting Data In

Cisco Firewalls Add-on host recognition problem

Narj
Path Finder

Hi all,

I've got the Cisco Firewall Addon (latest version with Security Suite) in and working, however I notice that it isn't recognising the host name properly; all events are showing as being from the box that my light forwarder is on. (host=myforwarderboxname)

It looks like this stanza in the transforms.conf will be the issue

[cisco_firewall_hostoverride]
DEST_KEY = MetaData:Host
REGEX = \S+\t\S+\s(.*)\t+
FORMAT = host::$1

However, I tried changing the regex to \s\d+:\d+:\d+\s(.*)\s\% (works on a field extraction) and restarting but this didn't work.

View source from splunk shows:

Sep 18 13:10:02 myfirewall %ASA-6-302014: Teardown TCP connection 54647599 for outside....

Is anyone else doing the same thing, and if so, how did you fix it? 🙂

Thanks!

EDIT:

Right, after some brain-ache, I found that I can fix this by editing:

/opt/splunk/etc/apps/Splunk_CiscoFirewalls/default/props.conf

And appending syslog-host on the end of the first transforms line, eg:

[source::...cisco]

TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_pix, force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_fwsm, force_sourcetype_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catchall, syslog-host

There must be a foolproof way of doing this... I know that if I upgrade the app, then this will probably get wiped out.

Do I need to add a one-liner in the local folder in a new props.conf?

ie: TRANSFORMS-syslog-host

Tags (4)
0 Karma
1 Solution

emotz
Splunk Employee
Splunk Employee

Why not put the props entry in
/opt/splunk/etc/apps/Splunk_CiscoFirewalls/local/props.conf so it isn't overwritten after upgrade.

[source::...cisco]
TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_pix, force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_fwsm, force_sourcetype_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catchall, syslog-host

You can always remove the ones you don't want it to call as well.

View solution in original post

0 Karma

emotz
Splunk Employee
Splunk Employee

Why not put the props entry in
/opt/splunk/etc/apps/Splunk_CiscoFirewalls/local/props.conf so it isn't overwritten after upgrade.

[source::...cisco]
TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_pix, force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_fwsm, force_sourcetype_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catchall, syslog-host

You can always remove the ones you don't want it to call as well.

0 Karma

Narj
Path Finder

Many thanks! Much appreciated. 🙂

0 Karma

emotz
Splunk Employee
Splunk Employee

Yes - local always overrides default.
Yes you can put in a blank stanza if needed
Docs explain who wins here ->
http://docs.splunk.com/Documentation/Splunk/5.0.4/admin/Wheretofindtheconfigurationfiles

0 Karma

Narj
Path Finder

Thanks, that sounds like it'll work better! If there is a duplicate entry in the local folder, I take it that overrides the default one?

How do I effectively "remove" an entire stanza in the "local" version of the file by the way? just add a blank stanza by the same name or something?

0 Karma

Narj
Path Finder

Just noticed that this ASA app has a catch all transform for cisco, which could be problematic!

[force_sourcetype_for_cisco_catchall]
DEST_KEY = MetaData:Sourcetype
REGEX = :\s\%((SNMP|CDP|FAN|LINE|LINEPROTO|RTD|SYS|C\d+_[^-]+)-\d+-\S+)
FORMAT = sourcetype::cisco

That's not really an exhaustive list so you can end up with split sourcetype for cisco kit... I've commented that out for now, but as above... if there's a more elegant way to override this, I'd appreciate some advice.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...