I see what you're saying, but i can't say that I agree with you.

I dont believe this has anything to do with the inspection engine, as this will occur with any outbound connection. Additionally, inbound/outbound classification is not impacted by any deny rules or the inspection engine, it is only based on the security levels of the source and destination interfaces.

The same results can be seen with SYSLOG IDs for TCP:

ASA-6-302013
ASA-6-302014

...so long as they are labelled by the firewall as outbound.

Here is an inbound connection that is parsing correctly, where the connection was terminated from the inside.

%ASA-6-302013: Built inbound TCP connection 569198598 for inside:172.16.46.131/64703 (172.16.46.131/64703) to mpls:10.12.3.11/443 (10.12.3.11/443)

• src_ip = 172.16.46.131
• dest_ip = 10.12.3.11

%ASA-6-302014: Teardown TCP connection 569198598 for inside:172.16.46.131/64703 to mpls:10.12.3.11/443 duration 0:01:40 bytes 1338 TCP FINs from inside

• src_ip = 172.16.46.131
• dest_ip = 10.12.3.11

Here's a similar outbound connection that is flipped.

%ASA-6-302013: Built outbound TCP connection 575965019 for cmoutside:12.234.139.10/443 (12.234.139.10/443) to inside:172.16.46.190/61613 (61.61.123.226/61613)

• src_ip = 172.16.46.190
• dest_ip = 12.234.139.10

%ASA-6-302014: Teardown TCP connection 575965019 for cmoutside:12.234.139.10/443 to inside:172.16.46.190/61613 duration 0:00:04 bytes 4002 TCP FINs from inside

• src_ip = 12.234.139.10
• dest_ip = 172.16.46.190

Why would it suddenly be ok to flip the script because it's an outbound connection? I really just think Splunk is parsing the first IP seen as the source, the 2nd as the destination. This does not get flipped around in the SYSLOG message when it's an inbound connection.

It appears something like this has happened before:

https://answers.splunk.com/answers/513608/major-problem-with-cisco-asa-add-on.html

I was able to find these strings in transforms.conf (Splunk_TA_cisco-asa):

[reverse_src_dest_for_outbound]
REGEX = [Oo]utbound\s+\S+\s+connection\s+\d+\s+for\s+\S+\s*:\s*([^\s\/\(]+)(?:\/(\w+))?(?:\((\S+)\))?\s*\(?([^\s\/\(]+)?\/?(\d+)?\)?\s+to\s+[^:]+:\s*([^\s\/\(]+)(?:\/(\w+))?(?:\((\S+)\))?\s*\(?([^\s\/\(]+)?\/?(\d+)?\)?
FORMAT = dest_ip::$1 dest_port::$2 dest_user::$3 dest_translated_ip::$4 dest_translated_port::$5 src_ip::$6 src_port::$7 src_user::$8 src_translated_ip::$9 src_translated_port::$10

This seems to handle the flipping of ASA-6-302013 and ASA-6-302015, but since ASA-6-302014 and ASA-6-302016 do NOT contain the word "outbound" in it, maybe it's getting caught by the normal src/dst REGEX:

[cisco_src_dest_ipv4]
REGEX =  (?:(\S+)/)?(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\((\d*)\)\s\->\s(?:(\S+)/)?(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\((\d*)\)
FORMAT = src_zone::$1 src_ip::$2 src_port::$3 dest_zone::$4 dest_ip::$5 dest_port::$6

I am searching in the "Search & Reporting" app to look at and manipulate logs to find stats / correlations.

What is this app going to add for me that I can't already do? Im not keen on the pointless dashboards these things come with.

Additionally, i have the following 2x "addons":

Splunk Add-on for Cisco ASA
Cisco Networks Add-on

Im guessing that these are what's parsing the data into fields for Cisco devices?

Edit: Ok so they are the same thing (1620).

I have version 3.4.0.