Solved: Splunk Add-on for Cisco ASA incorrect Extraction o...

bmacias84 · ‎06-08-2015

In Splunk Add-on for Cisco ASA user is incorrectly be extracted. Instead of extracting extracting the username as the value, the value is "user". In the event below, the field user should be cassandra, but is returned as "user".

Example event:
Jun 8 14:44:35 lue-wai-wei-00s : %WEI-6-000001: PIA user authentication Successful : server = 062.11.01.83 : user = cassandra

The issue is most likely a transform issue.

Splunk Add-on for Cisco ASA, version 3.2.2, build 263053

bmacias84 · ‎06-08-2015

I have found the bug in the transform named cisco_fw_kv_3.

[cisco_fw_kv_3] 
REGEX = ([uU]sername|[uU]ser)\s*=\s*([^,][^\s\)]+) 
FORMAT = user::$1

The regex statement has to matching groups. $1 retrieves first matching group which contains user. The correct matching group is $2. This is a Splunk app bug in splunk_ta_cisco-asa. Fix is below.

[cisco_fw_kv_3] 
REGEX = ([uU]sername|[uU]ser)\s*=\s*([^,][^\s\)]+) 
FORMAT = user::$2

View solution in original post

bmacias84 · ‎06-08-2015

I have found the bug in the transform named cisco_fw_kv_3.

[cisco_fw_kv_3] 
REGEX = ([uU]sername|[uU]ser)\s*=\s*([^,][^\s\)]+) 
FORMAT = user::$1

The regex statement has to matching groups. $1 retrieves first matching group which contains user. The correct matching group is $2. This is a Splunk app bug in splunk_ta_cisco-asa. Fix is below.

[cisco_fw_kv_3] 
REGEX = ([uU]sername|[uU]ser)\s*=\s*([^,][^\s\)]+) 
FORMAT = user::$2

jcoates_splunk · ‎06-08-2015

Hi, this is a known issue that should go in the next maintenance release (ADDON-3916) -- we'll update the docs.

Splunk Add-on for Cisco ASA incorrect Extraction of user

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes