Solved: Can I process ASA Built and Teardown as a single e...

mikesr · ‎01-23-2014

Hi,

can anyone please answere if it is possible to process ASA Built and Teardown messages of the single connection as a single event.
ASA generates Built message when TCP/UDP connection established over the firewall and Terdown message when closing the connection. Unfortunately some data are missing in each type of message.
(e.g. dirction is just in Built or duration is just in Teardown).
What I what to do is process both messages for each connection as the single merdged "connection" event so that I can make a select or a graf using "connection" events instead of single Built or Teardown events.

Thanx in advance.
Roman

jcoates_splunk · ‎01-23-2014

You can use a transaction command to do this if there is a matching and unique element in both events. For this specific data type you need a transaction ID, addresses and ports won't be unique enough (unless maybe if you evaluate them into a single field?)

View solution in original post

jcoates_splunk · ‎01-23-2014

You can use a transaction command to do this if there is a matching and unique element in both events. For this specific data type you need a transaction ID, addresses and ports won't be unique enough (unless maybe if you evaluate them into a single field?)

mikesr · ‎02-25-2014

Transaction command works very well.

Thanks for the hint.

lukejadamec · ‎01-23-2014

I'm pretty sure you can use transaction for that. Can you post a build and teardown event for a connection?

Can I process ASA Built and Teardown as a single event ?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life