All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Will the Splunk Add-on for Cisco ASA apply for parsing the new log format (NGFW)?

cburgman
Path Finder
‎04-28-2017 07:08 AM

We are introducing some ASAs with the unified NGFW images into our environment. The log format is different than the standard ASAs. Will the same TA (Splunk Add-on for Cisco ASA) apply for parsing the new log format?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

xavierashe
Contributor
‎05-02-2017 10:01 AM

You will need to download and install the Splunk Add-on for Cisco FireSIGHT. It has the parsing support for the Cisco Next-Generation Firewall (NGFW) logs.

View solution in original post

Reply
Solved! Jump to solution
Solution

xavierashe
Contributor
‎05-02-2017 10:01 AM

You will need to download and install the Splunk Add-on for Cisco FireSIGHT. It has the parsing support for the Cisco Next-Generation Firewall (NGFW) logs.

Reply
Solved! Jump to solution

cburgman
Path Finder
‎05-02-2017 10:56 AM

I will install the app later this week and will report back. Thanks for the info.

0 Karma
Reply
Solved! Jump to solution

cburgman
Path Finder
‎05-03-2017 09:18 AM

Worked great... Just needed to add TZ=UTC to the props.conf to normalize the time.

0 Karma
Reply
Solved! Jump to solution

xavierashe
Contributor
‎04-29-2017 09:11 AM

Do you have any sample events? We can just take a peak in the transforms file to see if the regex is there.

0 Karma
Reply
Solved! Jump to solution

cburgman
Path Finder
‎05-02-2017 02:51 PM 
Apr 28 15:00:00 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 131.x.x.x, SrcPort: 63942, DstPort: 443, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: Start, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: MS Online, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 367, ResponderBytes: 58, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://login.live.com
Apr 28 15:00:06 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 157.x.x.x, SrcPort: 63943, DstPort: 443, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: End, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Microsoft Update, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 377, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://sls.update.microsoft.com
Apr 28 15:00:19 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 10.x.x.x, SrcPort: 443, DstPort: 64206, TCPFlags: 0x0, EgressInterface: outside, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: Start, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 2785675782, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown
Apr 28 15:00:19 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 65.x.x.x, SrcPort: 63944, DstPort: 443, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: End, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Microsoft, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 383, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://watson.telemetry.microsoft.com
Apr 28 15:00:20 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 64.x.x.x, OriginalClientIP: ::, DstIP: 10.x.x.x, SrcPort: 443, DstPort: 55013, TCPFlags: 0x0, IngressInterface: outside, EgressInterface: inside, IngressZone: Test_Network, EgressZone: Ingress_Zone_Name, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: Start, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 2785734629, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown
Apr 28 15:00:35 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 216.x.x.x, SrcPort: 53401, DstPort: 9090, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: End, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 66, ResponderBytes: 54, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown
Apr 28 15:00:35 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 216.x.x.x, SrcPort: 55020, DstPort: 9090, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: End, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 66, ResponderBytes: 54, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown
Apr 28 15:00:35 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 216.x.x.x, SrcPort: 53401, DstPort: 9090, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: End, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 66, ResponderBytes: 54, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown
Apr 28 15:00:39 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 131.x.x.x, SrcPort: 63947, DstPort: 443, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: Start, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: MS Online, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 367, ResponderBytes: 58, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://login.live.com
Apr 28 15:00:45 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 157.x.x.x, SrcPort: 63948, DstPort: 443, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: Start, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Microsoft Update, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 377, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://sls.update.microsoft.com
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...