cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Karma1991
Explorer
Member since: ‎12-19-2018
‎04-02-2021
Community Statistics
Posts 4
Solutions 1
Karma Given 2
Karma Received 1
Member Since ‎12-19-2018
Activity Feed
View All

FYI: How to extract source webserver & malware sig...

by in All Apps and Add-ons
‎10-14-2020 11:36 AM
‎10-14-2020 11:36 AM
If you have issues where the Sophos sourcetype is not extracting the source webserver & malware signature from web activity events, add this line to pull those events. I couldn't find a solution for this problem, so here's mine: "Access was blocked to \"(?<origin>[^\"]+)\" because of \"(?<threat>[^\"]+)\"." This'll make use of the already created but null fields, origin & threat. ... View more
Labels

Re: Cisco ASA TA message_id not being extracted

by in All Apps and Add-ons
‎07-15-2020 10:58 AM
1 Karma
‎07-15-2020 10:58 AM
1 Karma
Issue has been resolved, the issue is that my ASA's send the logs with the word 'session' in between ASA & the log level. After updating the following stanzas in the transforms.conf it started extracting everything as expected. For anyone that runs across the issue of ASA logs not being CIM-compliant and having tags/actions auto-applied, check the following: Change #1 From  [force_sourcetype_for_cisco_asa] REGEX = %(?:ASA|FTD)-\d+-\d{6} To [force_sourcetype_for_cisco_asa] REGEX = %(?:ASA|FTD)-(?:\w*)-\d+-\d{6} Change #2 From [cisco_asa_log_level_message_id] REGEX = %(?:ASA|FTD)-(?<log_level>\d+)-(?<message_id>\d+) To [cisco_asa_log_level_message_id] REGEX = %(?:ASA|FTD)-(?:\w*)-(?<log_level>\d+)-(?<message_id>\d+) ... View more

Re: Cisco ASA TA message_id not being extracted

by in All Apps and Add-ons
‎07-15-2020 07:37 AM
‎07-15-2020 07:37 AM
You get an upvote just for helping; how 'bout that!? But no, the ASA version has not changed; what's changed is Splunk, apps & add-ons have been upgraded. But like I said, going to the Splunk_TA_cisco-asa/default/transforms.conf and copying the REGEX from below, Splunk matches it to events in search but the field is not extracted thus causing eventtypes not to work which in-turn cause CIM tags not to be applied correctly. [cisco_asa_message_id_722041] REGEX = -722041:\s*TunnelGroup\s+(?:\<\s*)?(?<tunnel_group>[^\>\s]+)(?:\s*\>)?\s+GroupPolicy\s+(?:\<\s*)?(?<group_policy>[^\>\s]+)(?:\s*\>)?\s+User\s+(?:\<\s*)?(?<user>[^\>\s]+)(?:\s*\>)?\s+IP\s+(?:\<\s*)?(?<src_ip>[^\>\s]+)(?:\s*\>)? ... View more

Cisco ASA TA message_id not being extracted

by in All Apps and Add-ons
‎07-14-2020 01:13 PM
‎07-14-2020 01:13 PM
Up until recently, the InfoSec app VPN dashboards were populating just fine. Recently however they stopped and upon further investigation, it seems like data from our Cisco ASAs are not being extracted correctly. After some troubleshooting I backed up the Splunk_TA_cisco-asa folder and reinstalled the add-on from Splunkbase. One of the fields that is not being extracted is message_id; Going to the transforms and copying the regex for one of the message_id fields I was able to match events to it, but for some reason Splunk is not extracting it. The issue continues even after the fresh install of the add-on. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎04-02-2021 10:19 AM
Karma from
View All
Karma given to