Splunk Search

When searching ASA Syslog, Splunk claims "bytes" is a host.

nunyabizness
Explorer

I don't understand how to get Splunk to properly parse the Teardown messages from my ASA cluster. It claims that "bytes" is a host, which it is not.

Here is an example of the messages that are being improperly attributed to "bytes": <190>May 14 2010 15:08:48: %ASA-6-302016: Teardown UDP connection 77425970 for outside:192.168.2.30/61031 to inside:IN-TDC1/53 duration 0:00:03 bytes 314

<190>May 14 2010 15:08:48: %ASA-6-302014: Teardown TCP connection 77426021 for outside:192.168.2.28/3838 to inside:172.30.21.41/135 duration 0:00:00 bytes 2630 TCP FINs (d397500)

Can anyone give me a pointer as to how I can get it to interpret the log correctly?

0 Karma

nunyabizness
Explorer

While I appreciate the input from Lowell, it appears that this bug only occurs when I'm configured to send/receive the syslog messages via TCP. It cleared up when I blew out the database and started over with UDP 🙂

Lowell
Super Champion

Is your sourcetype being detected as syslog? The syslog and similarity-named sourcetypes have a host field extraction setup by default that sometimes gets confused, and it seems that's what's happening here.

In the transforms.conf file contains the has the following regex, which is your problem.

[syslog-host]
...
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s
...

I ran it using a regex tool and it does in fact match "bytes" in the sample event you posted. So then bytes becomes the value for host. Whoops.

The simple way to fix this is to assign your input as a different/custom sourcetype. The other approach is to disable the syslog host extraction. Which may be less desirable as it could effect other syslog events your are indexing.

You can add your own custom sourcetype by adding an entry in your local props.conf file, like so:

[cisco_asa]
TIME_FORMAT = %b %d %Y %H:%M:%S
REPORT-syslog = syslog-extractions
SHOULD_LINEMERGE = False

Then you have to either setup a source matching rule that associates that input to your new sourcetype. How you set that part up will depend on how splunk's inputs are setup. If you are new to splunk and/or don't know where to get started, check out What's a Splunk index. It may take a bit to wrap your head around everything, but this is worth understanding and will save you time in the long run.

nunyabizness
Explorer

Lowell - thank you for your quick reply.

This seems like a lot of effort...I'm really only going to be monitoring ASA units from this installation - is there any way we can simply exclude the word "bytes" and the following digits from being extracted?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...