topic Re: Cisco Security Suite: Why is Splunk Add-on for Cisco ASA lookup definition for "action" not working? in All Apps and Add-ons

Cisco Security Suite: Why is Splunk Add-on for Cisco ASA lookup definition for "action" not working?

Richfez — Mon, 28 Sep 2020 18:49:13 GMT

EDIT : New information at the end.

When I run a search over our ASA, all the fields defined by the splunk_ta_cisco-asa work except one. I have severity lookups and vendor classes, but I have no "action" defined even though it should be. This is important because a lot of graphs in the network side of the Cisco Security Suite require "action" to be defined in order to report.

I'm not an expert by any means, but I spent time last week trying to track down how it should be doing what it doesn't quite do, but I still can't figure out why it's not working.

In props.conf, the lookup for action is defined right next to several lookups that work fine (like the severity lookup).
LOOKUP-cisco-asa-action_lookup = cisco_action_lookup vendor_action OUTPUT action

In transforms.conf, again next to others that work fine, the cisco_action_lookup is defined.
[cisco_action_lookup] filename = cisco_action_lookup.csv

So, one of the broken searches is this:
eventtype=cisco-firewall action="*" | timechart count by action

It is easy to modify it to be a working search and test that the lookup actually works by just manually specifying the lookup ahead of search action="":
`eventtype=cisco-firewall | lookup cisco_action_lookup vendor_action OUTPUT action | search action="" | timechart count by action`

The fixed search returns data with action fully populated, unlike the unfixed search.

UPDATE : I have found out more and though it still doesn't make sense to me, perhaps it will to someone.

If I aliased the output field at the end so:
LOOKUP-cisco_action_lookup = cisco_action_lookup vendor_action OUTPUT action AS aa_action
then aa_action shows up just fine.

When I again remove the alias, action disappears from the output.

UNLESS I run a wide enough search (a day's worth of data or more) then I can sometimes find ONE "action" set to "unknown". So when aliased to aa_action, it shows up on about 20-35% of the events depending on what time period you pick. When not aliased, I get approximately one "action" per million events and it's set to unknown. (And it is indeed an odd line).

Can "action" be being unset somehow? Early on I grepped through the etc folders making sure, but I could have missed something. How best to find such a thing, if this is what's happening?

Re: Cisco Security Suite: Why is Splunk Add-on for Cisco ASA lookup definition for "action" not working?

jordanperks — Tue, 03 Feb 2015 21:57:16 GMT

I am currently experiencing the exact same issue. If, in the automatic lookup, I change the was the action field is displayed to "action1" I get an action1 field. If I go back to action I get nothing.

Re: Cisco Security Suite: Why is Splunk Add-on for Cisco ASA lookup definition for "action" not working?

Richfez — Tue, 03 Feb 2015 22:24:02 GMT

Yes, I've opened a case on this because it seems that it's not quite a "Cisco Security Suite" problem, more of just a LOOKUP issue. I have done a bit more work trying to decide where the problem lies:

I have found that disabling the other couple of apps that "create" an action field and commenting out all the remaining places it might get created does not fix the issue.

I also found that recreating that lookup in etc/apps/search/local/transforms.conf and props.conf, then removing them entirely from the Cisco ASA TA also does not make them work (except for that once-in-a-million event that appears to be tagged correctly as "action=unknown"

I may need to update the answer, here, or perhaps close this one and re-open a new answers question excluding (or minimizing) the Cisco Security Suite side of things.

Re: Cisco Security Suite: Why is Splunk Add-on for Cisco ASA lookup definition for "action" not working?

jordanperks — Tue, 03 Feb 2015 22:27:02 GMT

Everything you tried, I also tried with the same results as you.

Re: Cisco Security Suite: Why is Splunk Add-on for Cisco ASA lookup definition for "action" not working?

jordanperks — Tue, 03 Feb 2015 23:22:34 GMT

I have found a workaround that will populate the data model/ES dashboards effectively, but still do not have any luck in search. For now I have a built a quick macro for manually invoking the lookup in search. I would be very interested in what you find out.

Re: Cisco Security Suite: Why is Splunk Add-on for Cisco ASA lookup definition for "action" not working?

joelyon — Mon, 28 Sep 2020 18:50:05 GMT

I also had the same issue with the Splunk_TA_cisco-asa ver 3.2.

issue earlier today... I believe the problem with version 3.2 is that two LOOKUP statements at the end of the cisco:asa sourcetype section were incomplete, causing the "action" LOOKUP to not be exercised correctly....

Here are the corrected/completed LOOKUP statements:
LOOKUP-cisco_asa_change_analysis = cisco_asa_change_analysis_lookup message_id OUTPUTNEW change_class change_description action change_type object_type
LOOKUP-cisco-asa_severity_expansion = cisco_asa_syslog_severity_lookup log_level OUTPUT severity_level description

This corrected the problem for me.

Re: Cisco Security Suite: Why is Splunk Add-on for Cisco ASA lookup definition for "action" not working?

Richfez — Wed, 04 Feb 2015 15:44:54 GMT

Changing those two lines did the trick!

Re: Cisco Security Suite: Why is Splunk Add-on for Cisco ASA lookup definition for "action" not working?

rtrobock — Tue, 20 Oct 2015 14:58:01 GMT

Looks like in 3.2.4, the severity_expansion lookup is still not complete

Re: Cisco Security Suite: Why is Splunk Add-on for Cisco ASA lookup definition for "action" not working?

vmicovic2 — Tue, 24 Sep 2019 21:20:25 GMT

hi, i have latest version, 3.4.0 and have similar problem...
3 errors occurred while the search was executing. Therefore, search results might be incomplete. Hide errors.

Could not load lookup=LOOKUP-cisco-asa-action_lookup
Could not load lookup=LOOKUP-cisco-pix-action_lookup
Could not load lookup=LOOKUP-cisco_fwsm_action_lookup

i am not sure where i need to fix this, can you please explain?

tnx.

Re: Cisco Security Suite: Why is Splunk Add-on for Cisco ASA lookup definition for "action" not working?

Richfez — Tue, 24 Sep 2019 21:27:11 GMT

@vmocovic2,
You are probably better off asking a new question, since this question was closed and answered 4 years ago.

(Also - I'd look at your various lookup permissions , but if you post this with some supporting information as a new question I'm sure you'll get a LOT more detail to help you solve your problem faster and better!)