All Apps and Add-ons

Splunk for Cisco Firewalls App Strangeness.

Splunker
Communicator

Folks,

I'm having a strange problem i've been unable to resolve. I'm running Splunk 4.2.4 in a distributed setup (1 x Search-Head & 1 x Indexer).

I've installed the Splunk for Cisco Firewalls app (on SH and Indexer) and i'm actually trying to troubleshoot a macro, but when i run the search manually it doesnt work, so the problem is not the macro.

Doing the following search (with the Splunk for Cisco Firewalls app installed and ASA data sourcetype'd as cisco_asa) returns no hits:

sourcetype=cisco_asa action=allowed

When sourcetype=cisco_asa returns results and in the field picker i can see the action field with a value of allowed in it (originating from ASA "Built" connections).

Even clicking on the value in the action field from the field picker returns no results whenever "action=allowed" is added to the search. I've tried double-quotes, single-quotes, as well..

I've checked permissions, the apps props.conf/transforms.conf (all defaults) of the Splunk Cisco Firewalls app, and everything seems fine.

If someone has some sample Cisco ASA data loaded and could test the above search i'd be interested to know if it works.

Or any thoughts to something i could try? I've run out of ideas 🙂

Thanks!

0 Karma

Splunker
Communicator

[..posted as an answer as it wont fit as a comment :)...]

Hmm i've got a hunch the FORMAT specifier isnt accepting multiple fields:

[ciscosyslog-action-allowed]
REGEX = (Built|[pP]ermitted)
FORMAT = action::allowed actual_action::$1

Taken from $SPLUNK_HOME/etc/apps/Splunk_CiscoFirewalls/default/transforms.conf

When i search for 'sourcetype=cisco_asa actual_action=Built' it returns hits ok, but not for 'sourcetype=cisco_asa action=allowed'

I suspect the latter overrides the former in the FORMAT string. The strange thing is i've read transforms.conf.spec and it states:

* FORMAT for search-time extractions:
* The format of this field as used during search time extractions is as
follows:
* FORMAT = <field-name>::<field-value>( <field-name>::<field-value>)*

And it's definitely a search-time transform (from $SPLUNK_HOME/etc/apps/Splunk_CiscoFirewall/default/props.conf):

[cisco_asa]
REPORT-asa = ...., ciscosyslog-action-allowed, ... etc

Starting to wonder if this is a bug.. Doing some more testing..

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

Did you try making the app global when you are in the search app and re-run your test? Many of the macros and extractions are stored in the app and if you run a generic search outside the cisco apps, they may not work since the fields are not exposed in other apps. Go to manager/apps and set the permissions of the various cisco apps/addons and try again.

0 Karma

Splunker
Communicator

Thanks - i am running in a user account with the admin role assigned, i've gone over the generic permissions but will look a little further.

I tried running under 'splunk start --diag' and am looking through the debug for clues at the moment.

The macro basically doesnt run because the underlying search doesnt work, so i'm debugging the search as a search at the moment, not as a macro (i'll be doing that next..)

Anyway, i'll dig in the permissions more and see what i find.

Thanks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...