topic Cisco CSA Indexing Issue in Security

Cisco CSA Indexing Issue

cvajs — Wed, 04 Apr 2012 20:36:29 GMT

v4.3.1 on sles 11.1

i have my cisco csa v5.2.0.278 alerts going to splunk via udp 162 (snmp traps)

the raw data (via splunk view) looks like this
0\x82\u0002\xC3\u0002\u0001\u0001\u0004\u0006public\xA7\x82\u0002\xB4\u0002\u0003\u001b3\xFA\u0002\u0001

and the Client Security App doesnt display anything. i set the source type to cisco_csa, so why this App not working?

the raw data from tcpdump for a snmp trap is:
16:56:05.188160 IP (tos 0x0, ttl 128, id 24807, offset 0, flags [none], proto UDP (17), length 762) venom.prod.org.cplscrambler-lg > SPLUNK.PROD.ORG.snmptrap: { SNMPv2c { V2Trap(715) R=1783164 system.sysUpTime.0=116503972 S:1.1.4.1.0=E:8590.3.1 E:8590.2.1=10317498 E:8590.2.2=1374 E:8590.2.3="HOSTB.prod.org" E:8590.2.4="2012-04-04 16:56:00.000" E:8590.2.5=2 E:8590.2.6=179 E:8590.2.7= E:8590.2.8= E:8590.2.9= E:8590.2.10= E:8590.2.11="The 'Service Control Manager' service logged event code 7036 into the system event log: The Ati HotKey Poller service entered the stopped state. " E:8590.2.12=1658 E:8590.2.13="10.132.194.174" E:8590.2.14="W" E:8590.2.15= E:8590.2.16= E:8590.2.17="NT Event log" E:8590.2.18="" E:8590.2.19=280 E:8590.2.20="CSA Service Monitoring" E:8590.2.21= E:8590.2.22= E:8590.2.23=0 } }

Re: Cisco CSA Indexing Issue

MarioM — Thu, 05 Apr 2012 10:19:00 GMT

snmp traps are binary then your have to convert it in ascii : receive and index SNMP traps

Re: Cisco CSA Indexing Issue

cvajs — Thu, 05 Apr 2012 13:39:28 GMT

binary? tcpdump shows ascii data.

Re: Cisco CSA Indexing Issue

MarioM — Thu, 05 Apr 2012 13:45:56 GMT

as per my answer to index snmp traps you need to follow the instructions from the link.

Re: Cisco CSA Indexing Issue

MarioM — Thu, 05 Apr 2012 13:51:02 GMT

and tcpdump actually decode snmp traps,Splunk donot...

Re: Cisco CSA Indexing Issue

cvajs — Thu, 05 Apr 2012 14:57:57 GMT

i am working on alternate solution, using snmptrapd and my syslog-ng. snmptrapd is not dynamic enough to handle numerous snmp traps from different hosts, etc. thnx.

Re: Cisco CSA Indexing Issue

MarioM — Thu, 05 Apr 2012 16:34:41 GMT

i think you didnot read the instructions that exactly same but snmptrapd with splunk instead of syslog-ng...

Re: Cisco CSA Indexing Issue

cvajs — Thu, 05 Apr 2012 18:05:54 GMT

i read the directions, still doesnt work. the raw log file has a bunch of ascii data but Splunk only shows part of it for some reason. when i say "syslog-ng" i mean i use -Ls with snmptrapd instead of -Lf, this allows me to have better control over where the data goes, etc.

snmptrapd -M /usr/share/snmp/mibs -m +ALL -Lf /logs/snmp/hostA --disableAuthorization=yes

snmptrapd -M /usr/share/snmp/mibs -m +ALL -Ls 0 --disableAuthorization=yes

the latter cmd logs the same data as the 1st, but Splunk seems to have a problem showing/parsing the 1st.

Re: Cisco CSA Indexing Issue

cvajs — Thu, 05 Apr 2012 19:46:59 GMT

Splunk shows just this for the source data of an event (why does it truncate the data?)

2012-04-05 15:38:29 syslog.prod.org [UDP: [10.219.0.134]:1086->[10.222.1.253]]:

but the raw log file shows this for same event

2012-04-05 15:38:29 syslog.prod.org [UDP: [10.219.0.134]:1086->[10.222.1.253]]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (124678725) 14 days, 10:19:47.25       SNMPv2-MIB::snmpTrapOID.0 = OID: CSAMC-SNMPv2-MIB::csaTraps.1        CSAMC-SNMPv2-MIB::eventID = INTEGER: 10329635   CSAMC-SNMPv2-MIB::ruleID = Wrong Type (should be INTEGER): NULL      CSAMC-SNMPv2-MIB::hostName = STRING: "hostB.prod.org"   CSAMC-SNMPv2-MIB::eventTime = STRING: "2012-04-05 15:38:29.617"      CSAMC-SNMPv2-MIB::severityCode = INTEGER: 2     CSAMC-SNMPv2-MIB::eventCode = INTEGER: 164   CSAMC-SNMPv2-MIB::processName = STRING: "<remote application>"  CSAMC-SNMPv2-MIB::fileName = Wrong Type (should be OCTET STRING): NULL       CSAMC-SNMPv2-MIB::sourceIPAddress = Wrong Type (should be IpAddress): NULL      CSAMC-SNMPv2-MIB::destinationIPAddress = Wrong Type (should be IpAddress): NULL      CSAMC-SNMPv2-MIB::eventText = STRING: "The process '<remote application>' has triggered too many log records in the last few minutes. Further messages will be logged at a decreased rate for 10 minutes."        CSAMC-SNMPv2-MIB::hostID = INTEGER: 209 CSAMC-SNMPv2-MIB::currentHostIPAddress = Wrong Type (should be IpAddress): STRING: "10.132.194.158"  CSAMC-SNMPv2-MIB::hostOSType = STRING: "W"      CSAMC-SNMPv2-MIB::sourcePort = Wrong Type (should be INTEGER): NULL  CSAMC-SNMPv2-MIB::destinationPort = Wrong Type (should be INTEGER): NULL        CSAMC-SNMPv2-MIB::eventType = STRING: "Administrative"       CSAMC-SNMPv2-MIB::ruleDescription = Wrong Type (should be OCTET STRING): NULLCSAMC-SNMPv2-MIB::ruleModuleID = Wrong Type (should be INTEGER): NULL   CSAMC-SNMPv2-MIB::ruleModuleName = Wrong Type (should be OCTET STRING): NULL CSAMC-SNMPv2-MIB::buttonCode = Wrong Type (should be INTEGER): NULL     CSAMC-SNMPv2-MIB::userName = STRING: "myDOMAIN\\WSecGat_Px"   CSAMC-SNMPv2-MIB::flags = INTEGER: 0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (124679186) 14 days, 10:19:51.86       SNMPv2-MIB::snmpTrapOID.0 = OID: CSAMC-SNMPv2-MIB::csaTraps.1        CSAMC-SNMPv2-MIB::eventID = INTEGER: 10329637   CSAMC-SNMPv2-MIB::ruleID = INTEGER: 1374    CSAMC-SNMPv2-MIB::hostName = STRING: "hostA.prod.org"    CSAMC-SNMPv2-MIB::eventTime = STRING: "2012-04-05 15:38:29.999"      CSAMC-SNMPv2-MIB::severityCode = INTEGER: 2     CSAMC-SNMPv2-MIB::eventCode = INTEGER: 179      CSAMC-SNMPv2-MIB::processName = Wrong Type (should be OCTET STRING): NULL    CSAMC-SNMPv2-MIB::fileName = Wrong Type (should be OCTET STRING): NULL       CSAMC-SNMPv2-MIB::sourceIPAddress = Wrong Type (should be IpAddress): NULL      CSAMC-SNMPv2-MIB::destinationIPAddress = Wrong Type (should be IpAddress): NULL      CSAMC-SNMPv2-MIB::eventText = STRING: "The 'Service Control Manager' service logged event code 7036 into the system event log: The LiveUpdate service entered the running state. "   CSAMC-SNMPv2-MIB::hostID = INTEGER: 2206     CSAMC-SNMPv2-MIB::currentHostIPAddress = Wrong Type (should be IpAddress): STRING: "10.10.10.10"   CSAMC-SNMPv2-MIB::hostOSType = STRING: "W"      CSAMC-SNMPv2-MIB::sourcePort = Wrong Type (should be INTEGER): NULL CSAMC-SNMPv2-MIB::destinationPort = Wrong Type (should be INTEGER): NULL CSAMC-SNMPv2-MIB::eventType = STRING: "NT Event log"CSAMC-SNMPv2-MIB::ruleDescription = ""   CSAMC-SNMPv2-MIB::ruleModuleID = INTEGER: 280   CSAMC-SNMPv2-MIB::ruleModuleName = STRING: "CSA Service Monitoring"  CSAMC-SNMPv2-MIB::buttonCode = Wrong Type (should be INTEGER): NULL     CSAMC-SNMPv2-MIB::userName = Wrong Type (should be OCTET STRING): NULL       CSAMC-SNMPv2-MIB::flags = INTEGER:

Re: Cisco CSA Indexing Issue

cvajs — Thu, 05 Apr 2012 20:06:07 GMT

this looks like a bug. when i create the source from file and preview it, Splunk correctly shows each event, but when i finish setting up the source and look at the data from a search it only shows that 1st line, not all of the event data.

Re: Cisco CSA Indexing Issue

MarioM — Fri, 06 Apr 2012 05:28:49 GMT

what your props.conf looks like?

Re: Cisco CSA Indexing Issue

cvajs — Mon, 28 Sep 2020 11:38:25 GMT

which props?

i dont have a system/local props
i dont have a local app props

i have this props
/opt/splunk/etc/apps/Splunk_CiscoClientSecurityAgent/default

[cisco_csa]
TRANSFORMS = csa_hostoverride
REPORT-extract = csafields
SHOULD_LINEMERGE = false

Re: Cisco CSA Indexing Issue

MarioM — Sun, 08 Apr 2012 09:37:20 GMT

you could try adding TRUNCATE=0 in your cisco_csa stanza

Re: Cisco CSA Indexing Issue

cvajs — Mon, 28 Sep 2020 11:38:55 GMT

TRUNCATE=0 to default props in CSA app, but Splunk still shows:
2012-04-09 11:24:34 myHost.prod.org [UDP: [10.8.0.134]:1086->[10.1.1.53]]:

props.conf
[cisco_csa]
TRANSFORMS = csa_hostoverride
REPORT-extract = csafields
SHOULD_LINEMERGE = false
TRUNCATE=0

transfroms.conf
[csafields]
REGEX = ^[^\|]+\|([^\|]+)\|([^\|]+)\|([^\|]+)\|([^\|]+)\|([^\|]+)\|([^\|]+)
FORMAT = nbtname::$1 ip::$2 ruleid::$3 code::$4 remotetime::$5 alert::$6

[csa_hostoverride]
DEST_KEY = MetaData:Host
REGEX = ^[^\|]+\|([^\|]+)\|([^\|]+)\|([^\|]+)\|([^\|]+)\|([^\|]+)\|([^\|]+)
FORMAT = host::$1

Re: Cisco CSA Indexing Issue

cvajs — Tue, 10 Apr 2012 12:28:33 GMT

anyone have an idea as to why splunk does this?

Re: Cisco CSA Indexing Issue

Ayn — Tue, 10 Apr 2012 12:51:11 GMT

I think you need to configure event breaking. Splunk is probably breaking events because it finds what it views as timestamps after the first line you pasted, and default behaviour is for Splunk to create a new event when it finds a valid timestamp on a new line.

Re: Cisco CSA Indexing Issue

cvajs — Tue, 10 Apr 2012 12:58:12 GMT

i dont quite understand. if i manually add the source and do a "Preview" of the log data it shows the events correctly, so why would it mess up event breaking after that?

Re: Cisco CSA Indexing Issue

Ayn — Tue, 10 Apr 2012 13:03:16 GMT

I don't know in detail how the preview data functionality works so I don't know, sorry. But, the default behaviour for event breaking in Splunk is that the first time a timestamp is encountered on a new line, Splunk breaks and creates a new event.

Re: Cisco CSA Indexing Issue

cvajs — Tue, 10 Apr 2012 13:29:08 GMT

so i need to tell the preview that my event is "DATE \n EVENT_DATA \n"
(not that way exactly, but you get my point). oddly, if i write snmptrapd out to syslog then Splunk will read those events from syslog file fine, but CSA app still doesnt work with that data.

Re: Cisco CSA Indexing Issue

Ayn — Tue, 10 Apr 2012 13:37:56 GMT

Yes, you need to configure line merging in props.conf.