In Splunk Add-on for Cisco ASA user is incorrectly be extracted. Instead of extracting extracting the username as the value, the value is "user". In the event below, the field user should be cassandra, but is returned as "user".
Example event:
Jun 8 14:44:35 lue-wai-wei-00s : %WEI-6-000001: PIA user authentication Successful : server = 062.11.01.83 : user = cassandra
The issue is most likely a transform issue.
Splunk Add-on for Cisco ASA, version 3.2.2, build 263053
I have found the bug in the transform named cisco_fw_kv_3.
[cisco_fw_kv_3]
REGEX = ([uU]sername|[uU]ser)\s*=\s*([^,][^\s\)]+)
FORMAT = user::$1
The regex statement has to matching groups. $1 retrieves first matching group which contains user. The correct matching group is $2. This is a Splunk app bug in splunk_ta_cisco-asa. Fix is below.
[cisco_fw_kv_3]
REGEX = ([uU]sername|[uU]ser)\s*=\s*([^,][^\s\)]+)
FORMAT = user::$2
I have found the bug in the transform named cisco_fw_kv_3.
[cisco_fw_kv_3]
REGEX = ([uU]sername|[uU]ser)\s*=\s*([^,][^\s\)]+)
FORMAT = user::$1
The regex statement has to matching groups. $1 retrieves first matching group which contains user. The correct matching group is $2. This is a Splunk app bug in splunk_ta_cisco-asa. Fix is below.
[cisco_fw_kv_3]
REGEX = ([uU]sername|[uU]ser)\s*=\s*([^,][^\s\)]+)
FORMAT = user::$2
Hi, this is a known issue that should go in the next maintenance release (ADDON-3916) -- we'll update the docs.