All Apps and Add-ons

Cisco Firewall Add-on - empty results

ahammond
Explorer

In Security Suite under Firewall > Overview search shows no results, viewing the Inspect shows search eventtype="cisco_firewall" | bin _time span=5m | stats count by eventtype, src_ip, dest_ip, host,log_level_desc,event_desc, _time

If I remove each transform filter one at a time I find that neither log_level_desc or event_desc will return results, as if they do not exist in the indexed data. If I remove them both then results are displayed.

Where do I start looking?

bpad
New Member

My Sourcetype is 'cicso__asa' after fixing the regex, but in "Cisco Firewall overview" for example the field event_desc shows somethin like this:

\"Deny protocol src [interface_name:sourceaddress/source_port] dst interfacename:dest_address/dest_port [type {string}, code {code}] by accessgroup aclID\"

The other fields get extracted correctly. Perhaps someone has a hint?
Where ist the field event_desc defined? Can i manually edit it?
Thanks in advance

Bpad

0 Karma

bpad
New Member

Mine is also v8.2. What Versions are other people using? This ASA plugin is great and i hope i someone can help to fix this?!

0 Karma

cvajs
Contributor

i notice this too but my data is from v8.2, must be an extraction issue in the base app?

0 Karma

cvajs
Contributor

if its newer ASA then maybe you need to fix the regex for this source type
see http://splunk-base.splunk.com/answers/42936/cisco-asa-logging-format-change

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...