Getting Data In

Cisco Firewalls Add-on host recognition problem

Narj
Path Finder

Hi all,

I've got the Cisco Firewall Addon (latest version with Security Suite) in and working, however I notice that it isn't recognising the host name properly; all events are showing as being from the box that my light forwarder is on. (host=myforwarderboxname)

It looks like this stanza in the transforms.conf will be the issue

[cisco_firewall_hostoverride]
DEST_KEY = MetaData:Host
REGEX = \S+\t\S+\s(.*)\t+
FORMAT = host::$1

However, I tried changing the regex to \s\d+:\d+:\d+\s(.*)\s\% (works on a field extraction) and restarting but this didn't work.

View source from splunk shows:

Sep 18 13:10:02 myfirewall %ASA-6-302014: Teardown TCP connection 54647599 for outside....

Is anyone else doing the same thing, and if so, how did you fix it? 🙂

Thanks!

EDIT:

Right, after some brain-ache, I found that I can fix this by editing:

/opt/splunk/etc/apps/Splunk_CiscoFirewalls/default/props.conf

And appending syslog-host on the end of the first transforms line, eg:

[source::...cisco]

TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_pix, force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_fwsm, force_sourcetype_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catchall, syslog-host

There must be a foolproof way of doing this... I know that if I upgrade the app, then this will probably get wiped out.

Do I need to add a one-liner in the local folder in a new props.conf?

ie: TRANSFORMS-syslog-host

Tags (4)
0 Karma
1 Solution

emotz
Splunk Employee
Splunk Employee

Why not put the props entry in
/opt/splunk/etc/apps/Splunk_CiscoFirewalls/local/props.conf so it isn't overwritten after upgrade.

[source::...cisco]
TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_pix, force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_fwsm, force_sourcetype_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catchall, syslog-host

You can always remove the ones you don't want it to call as well.

View solution in original post

0 Karma

emotz
Splunk Employee
Splunk Employee

Why not put the props entry in
/opt/splunk/etc/apps/Splunk_CiscoFirewalls/local/props.conf so it isn't overwritten after upgrade.

[source::...cisco]
TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_pix, force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_fwsm, force_sourcetype_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catchall, syslog-host

You can always remove the ones you don't want it to call as well.

0 Karma

Narj
Path Finder

Many thanks! Much appreciated. 🙂

0 Karma

emotz
Splunk Employee
Splunk Employee

Yes - local always overrides default.
Yes you can put in a blank stanza if needed
Docs explain who wins here ->
http://docs.splunk.com/Documentation/Splunk/5.0.4/admin/Wheretofindtheconfigurationfiles

0 Karma

Narj
Path Finder

Thanks, that sounds like it'll work better! If there is a duplicate entry in the local folder, I take it that overrides the default one?

How do I effectively "remove" an entire stanza in the "local" version of the file by the way? just add a blank stanza by the same name or something?

0 Karma

Narj
Path Finder

Just noticed that this ASA app has a catch all transform for cisco, which could be problematic!

[force_sourcetype_for_cisco_catchall]
DEST_KEY = MetaData:Sourcetype
REGEX = :\s\%((SNMP|CDP|FAN|LINE|LINEPROTO|RTD|SYS|C\d+_[^-]+)-\d+-\S+)
FORMAT = sourcetype::cisco

That's not really an exhaustive list so you can end up with split sourcetype for cisco kit... I've commented that out for now, but as above... if there's a more elegant way to override this, I'd appreciate some advice.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...