topic Re: Cisco Router ACL Logs - How to Utilize in Cisco Security App? in Getting Data In

Cisco Router ACL Logs - How to Utilize in Cisco Security App?

umpiloto — Sun, 01 Apr 2012 23:30:22 GMT

Hi All -

Just discovered Splunk, and I must say it's an amazing tool.

I've configured a router to send syslog messages to Splunk, and they are indeed being collected.
I've also installed the Cisco security app along with a few of its sub-apps.
The Cisco firewall app, though, doesn't seem to be able to read any of the data generated by the ACL deny log entries generated by my router. It seems these syslog entries are not in the same format as those which would be generated by a true ASA or PIX firewall. Still, I have all sorts of source IP / port and dest IP / port entries, so there is so much potential here! Any ideas on how I could make my current data readable by the Cisco Security Splunk app would be very much appreciated.

Thanks

Re: Cisco Router ACL Logs - How to Utilize in Cisco Security App?

tbaschak — Mon, 28 Sep 2020 11:39:35 GMT

What you need to do is field extract the same fields from the IOS ACL deny log entries. I've used the following quick rex's in the past to dig info from ACLs.

host="someIOSfirewall" %SEC-6-IPACCESSLOGP | rex field=_raw "list 101 denied (?[a-zA-Z]+) (?\d+.\d+.\d+.\d+)((?\d+)) -> (?\d+.\d+.\d+.\d+)((?\d+))" | chart sparkline count by src_address

host="someIOSfirewall" %SEC-6-IPACCESSLOGP | rex field=_raw "list 101 denied (?[a-zA-Z]+) (?\d+.\d+.\d+.\d+)((?\d+)) -> (?\d+.\d+.\d+.\d+)((?\d+))" | lookup geoip clientip as src_address | chart sparkline count by client_country | sort -count

Just make the field names match what it is expecting, and the type to match, and you'll be set.

Re: Cisco Router ACL Logs - How to Utilize in Cisco Security App?

robinjames — Thu, 12 Apr 2012 22:11:48 GMT

Thanks for your reply! I was looking for this answer as well... I'm new to this so your answer looks like greek to me, but hopefully can figure it out.

Where would I place rex's like those to have the Cisco Suite pick up those fields?

Re: Cisco Router ACL Logs - How to Utilize in Cisco Security App?

tbaschak — Mon, 28 Sep 2020 11:40:38 GMT

You'd actually want to do this with a field extraction, but you could test the field extraction with the rex tho.
Something like this in your local/props.conf

[host::x.y.z.b]
EXTRACT-ip_proto,src_address,src_port,etc = "list 101 denied (?[a-zA-Z]+) (?d+.d+.d+.d+)((?d+)) -> (?d+.d+.d+.d+)((?d+))"

You'll need to customize the extracted field names to match.

Re: Cisco Router ACL Logs - How to Utilize in Cisco Security App?

cphnetworkguy — Wed, 30 Sep 2020 03:05:16 GMT

I did like this:
severity=* index=ciscoios vendor_category="IP security"
| stats count(ACL_action) AS Amount BY host,ACL_name,ACL_serviceport,ACL_sourceip,ACL_destinationip,ACL_action
| table host Amount ACL_name,ACL_action,ACL_serviceport,ACL_sourceip,ACL_destinationip

Then you just have make your variables so the match your setup,I have done it like this:
severity=* index=ciscoios vendor_category="IP security"
| stats count(ACL_action) AS Amount BY host,ACL_name,ACL_serviceport,ACL_sourceip,ACL_destinationip,ACL_action
| table host Amount ACL_name,ACL_action,ACL_serviceport,ACL_sourceip,ACL_destinationip

But you need to extract the fiels so they match the names of the variables you use.