https://community.splunk.com/t5/Getting-Data-In/Cisco-ASA-Logging-from-Access-Control-Entries/m-p/22817#M3558 <P>I've solved this in a new and packaged app that is available on Splunkbase as "Splunk for Cisco ASA". </P> Mon, 09 Jul 2012 22:56:33 GMT kenth 2012-07-09T22:56:33Z https://community.splunk.com/t5/Getting-Data-In/Cisco-ASA-Logging-from-Access-Control-Entries/m-p/22814#M3555 <P>Hi, </P> <P>I am logging directly to Splunk from several Cisco ASA's. I have set my ASA to log ACE entries on the notifications level and I send this level to syslog (Splunk). This should send all permitted and dropped logs to the Splunk. It seems like Splunk only recognizes the syslogs with dropped packets. How come? I have checked with normal syslog and I get both log entries. </P> <P>For workaround I have to send syslog level information to splunk to be able to see permitted packets. This is not what I want because information sends the build and teardown of connections and it seems like thats how Splunk considers it's a "permitted" flow. </P> <P>I am using the Splunk for Cisco Security. Anyone done this? </P> Fri, 30 Jul 2010 13:54:08 GMT https://community.splunk.com/t5/Getting-Data-In/Cisco-ASA-Logging-from-Access-Control-Entries/m-p/22814#M3555 kenth 2010-07-30T13:54:08Z https://community.splunk.com/t5/Getting-Data-In/Cisco-ASA-Logging-from-Access-Control-Entries/m-p/22815#M3556 <P>Kenth,</P> <P>This is an old post, but I am new to this add on. I'm having the same issue, and here's what I've discovered. The field extraction for the "firewall-accept" is keyed upon the words "Built", and "connection". This phrase is only available when 'logging informational' is on. This is an obscene amount of logging.</P> <P>What would be ideal is if the field extraction used the words "access-list", and "permitted". Then logging level can be lower, and you can set up the ACL to include logging for those hits to the level you want.</P> <P>I did this and it worked, but not all the way. The access-list log line is different than the built connection log line, and the rest of the fields are not extracted correctly.</P> <P>I've been poking around and I cannot determine how to change this area. I could use some help on that. If anyone knows, that would be fantastic.</P> Sat, 12 Mar 2011 21:47:25 GMT https://community.splunk.com/t5/Getting-Data-In/Cisco-ASA-Logging-from-Access-Control-Entries/m-p/22815#M3556 jgauthier 2011-03-12T21:47:25Z https://community.splunk.com/t5/Getting-Data-In/Cisco-ASA-Logging-from-Access-Control-Entries/m-p/22816#M3557 <P>Again,</P> <P>This is an old post. But I have solved it and am happy.</P> <P>Filter out the data from the host to only put in the data that the add on needs to process it's reports.</P> <P>So, build a regex that captures the build lines, and the deny lines. Toss the rest! </P> Sat, 26 Mar 2011 02:07:00 GMT https://community.splunk.com/t5/Getting-Data-In/Cisco-ASA-Logging-from-Access-Control-Entries/m-p/22816#M3557 jgauthier 2011-03-26T02:07:00Z https://community.splunk.com/t5/Getting-Data-In/Cisco-ASA-Logging-from-Access-Control-Entries/m-p/22817#M3558 <P>I've solved this in a new and packaged app that is available on Splunkbase as "Splunk for Cisco ASA". </P> Mon, 09 Jul 2012 22:56:33 GMT https://community.splunk.com/t5/Getting-Data-In/Cisco-ASA-Logging-from-Access-Control-Entries/m-p/22817#M3558 kenth 2012-07-09T22:56:33Z