- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk Add-on for Cisco ASA 3.2.4: How to configur...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am currently running Splunk 6.2.3 with the Splunk Add-on for Cisco ASA version 3.2.4.
When I look at Cisco ASA firewall events (sourcetype=cisco:asa) I have noticed that the dvc field is properly populated with the firewall context. However, this is not the case with the host field. The following are examples:
source = /syslog_hot/splunk/asa/ent_firewall.log
dvc = admin
host = admin
source = /syslog_hot/splunk/asa/ent_firewall.log
dvc = campus
host = campus
source = /syslog_hot/splunk/asa/asavpn.log
dvc = 5585vpn
host = cc-syslog01.mycompany.edu
I attempted looking for entries in the Splunk Add-on for Cisco ASA transforms.conf which extract the host field, but did not find one. It thus appears that the host field is using the default transforms.conf located in /opt/splunk/etc/system/default.
If I am understanding this correctly, the REGEX in the default transforms.conf is not matching, and as a result the host field is being populated with the hostname of the syslog server.
What would be the best solution for this? Should I create entries in the local/transforms.conf and local/props.conf of the add-on to properly extract/assign the host field?
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I made the following changes to the Splunk_TA_cisco-asa app on our Indexers, and it appears to have solved/fixed the issue:
local/transforms.conf
[force_host_for_cisco_asa]
REGEX = ^(?:[^ \n]*\s{1,2}){3}([^ ]+)
FORMAT = host::$1
DEST_KEY = MetaData:Host
===============================
local/props.conf
[source::...asa/asavpn.log]
TRANSFORMS-force_host_for_cisco_asa = force_host_for_cisco_asa
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As long as I had my hostname in the ASA configured correct, as well as this command:
asa(config)#logging device-id hostname
The Add-on was able to pull out the hostname accurately. I got it working by monitoring the log file on an rsyslog server, and only assigning "syslog" as the sourcetype.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I made the following changes to the Splunk_TA_cisco-asa app on our Indexers, and it appears to have solved/fixed the issue:
local/transforms.conf
[force_host_for_cisco_asa]
REGEX = ^(?:[^ \n]*\s{1,2}){3}([^ ]+)
FORMAT = host::$1
DEST_KEY = MetaData:Host
===============================
local/props.conf
[source::...asa/asavpn.log]
TRANSFORMS-force_host_for_cisco_asa = force_host_for_cisco_asa
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
