Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cisco Router ACL Logs - How to Utilize in Cisco Security App?

umpiloto
Engager
‎04-01-2012 04:30 PM

Hi All -

Just discovered Splunk, and I must say it's an amazing tool.

I've configured a router to send syslog messages to Splunk, and they are indeed being collected.
I've also installed the Cisco security app along with a few of its sub-apps.
The Cisco firewall app, though, doesn't seem to be able to read any of the data generated by the ACL deny log entries generated by my router. It seems these syslog entries are not in the same format as those which would be generated by a true ASA or PIX firewall. Still, I have all sorts of source IP / port and dest IP / port entries, so there is so much potential here! Any ideas on how I could make my current data readable by the Cisco Security Splunk app would be very much appreciated.

Thanks

Reply

cphnetworkguy
New Member
‎11-18-2019 03:50 AM

I did like this:
severity=* index=ciscoios vendor_category="IP security"
| stats count(ACL_action) AS Amount BY host,ACL_name,ACL_serviceport,ACL_sourceip,ACL_destinationip,ACL_action
| table host Amount ACL_name,ACL_action,ACL_serviceport,ACL_sourceip,ACL_destinationip

Then you just have make your variables so the match your setup,I have done it like this:
severity=* index=ciscoios vendor_category="IP security"
| stats count(ACL_action) AS Amount BY host,ACL_name,ACL_serviceport,ACL_sourceip,ACL_destinationip,ACL_action
| table host Amount ACL_name,ACL_action,ACL_serviceport,ACL_sourceip,ACL_destinationip

But you need to extract the fiels so they match the names of the variables you use.

0 Karma
Reply

tbaschak
Explorer
‎04-10-2012 12:27 PM

What you need to do is field extract the same fields from the IOS ACL deny log entries. I've used the following quick rex's in the past to dig info from ACLs.

host="someIOSfirewall" %SEC-6-IPACCESSLOGP | rex field=_raw "list 101 denied (?[a-zA-Z]+) (?\d+.\d+.\d+.\d+)((?\d+)) -> (?\d+.\d+.\d+.\d+)((?\d+))" | chart sparkline count by src_address

host="someIOSfirewall" %SEC-6-IPACCESSLOGP | rex field=_raw "list 101 denied (?[a-zA-Z]+) (?\d+.\d+.\d+.\d+)((?\d+)) -> (?\d+.\d+.\d+.\d+)((?\d+))" | lookup geoip clientip as src_address | chart sparkline count by client_country | sort -count

Just make the field names match what it is expecting, and the type to match, and you'll be set.

0 Karma
Reply

tbaschak
Explorer
‎04-13-2012 07:40 AM

You'd actually want to do this with a field extraction, but you could test the field extraction with the rex tho.
Something like this in your local/props.conf

[host::x.y.z.b]
EXTRACT-ip_proto,src_address,src_port,etc = "list 101 denied (?[a-zA-Z]+) (?d+.d+.d+.d+)((?d+)) -> (?d+.d+.d+.d+)((?d+))"

You'll need to customize the extracted field names to match.

0 Karma
Reply

robinjames
New Member
‎04-12-2012 03:11 PM

Thanks for your reply! I was looking for this answer as well... I'm new to this so your answer looks like greek to me, but hopefully can figure it out.

Where would I place rex's like those to have the Cisco Suite pick up those fields?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...