topic Re: Cisco ASA logging format change in Getting Data In

Cisco ASA logging format change

mamborn — Thu, 15 Mar 2012 18:45:27 GMT

It looks like with 8.3 of Cisco ASA software the logging format has changed some.
Old Version:
Mar 15 13:39:13 192.168.1.1 %ASA-6-302015: Built inbound UDP connection 80311398 for External:192.168.2.29/64493 (192.168.2.29/64493) to Internal:192.168.100.1/53 (192.168.100.1/53) (RobinM)

New Format
Mar 15 13:39:15 192.168.100.100 :%ASA-session-6-302021: Teardown ICMP connection for faddr 172.16.49.19/768 gaddr 192.168.162.2/0 laddr 192.168.162.2/0

The ":%ASA-session" is what has changed. Is there a easy way to fix/modify the inputs. The pre-canned reports don't find the new log entries, and the field extractions are not correct. You can still search manually through splunk though.

Re: Cisco ASA logging format change

tmeader — Thu, 15 Mar 2012 20:28:43 GMT

Were they coming in previously as "sourcetype=cisco_asa" and working properly? Looking at the default props.conf and transforms.conf in the Cisco for Firewalls addon, there's nothing in there that that ":" should've messed up at all.

Re: Cisco ASA logging format change

mamborn — Thu, 15 Mar 2012 20:38:46 GMT

I have two ASA firewalls logging to the splunk server. The older version 8.0.3 logs correctly and the sourcetype gets set to cisco_asa.

The newer version 8.4.2 the sourcetype gets set to udp:514.

I modified the eventtypes and that didn't seem to change it either.

[root@linux2 local]# more eventtypes.conf
[cisco_firewall]
search = %ASA OR %PIX OR %FWSM OR :%ASA

So the reports etc that are pre-canned don't find the data.

Re: Cisco ASA logging format change

tmeader — Fri, 16 Mar 2012 00:38:15 GMT

So you're saying that, even with just a regular search in Splunk (not a canned report from the Cisco Apps) for data from these hosts, even though they are still showing up as sourcetype of cisco_asa, the fields are no longer being extracted properly?

Re: Cisco ASA logging format change

cvajs — Fri, 16 Mar 2012 01:23:44 GMT

i am a newb with splunk, but cant you
use SED in props.conf to replace ":%ASA-session" with "%ASA"

[source::your-crisco-source]
SEDCMD-fix = s/:%ASA-session/%ASA/g

Re: Cisco ASA logging format change

mamborn — Fri, 16 Mar 2012 14:13:30 GMT

they are not coming in as sourcetype cisco_asa, and the field extractions are not showing.

Re: Cisco ASA logging format change

tmeader — Mon, 28 Sep 2020 11:31:50 GMT

I found the problem. The issue isn't the colon in front of the %ASA, it's that the hyphen after it isn't followed by a number anymore. Here's the built-in transform:

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = %ASA-\d+-\d+
FORMAT = sourcetype::cisco_asa

Note "%ASA-\d+-\d+". Your old data HAD %ASA-[numbers]-[numbers], whereas your new format has characters, not numerals, instead.

Under /Splunk_Home/etc/apps/[Cisco_app]/local/, create a file called "transforms.conf" and add in the following:

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = %ASA-\w+-\w+
FORMAT = sourcetype::cisco_asa

Save that and then restart Splunk. That should take care of it. Let me know if that works for you or not.

Re: Cisco ASA logging format change

cvajs — Fri, 16 Mar 2012 22:14:58 GMT

the events dont come in as a source type, they get matched as a source type.

Re: Cisco ASA logging format change

cvajs — Fri, 16 Mar 2012 22:26:20 GMT

ah, good find.

Re: Cisco ASA logging format change

kenth — Mon, 19 Mar 2012 13:56:28 GMT

Why replace it when you can just match it with;

%ASA-\w+-\d+-\d+ or even %ASA-\S+:

I haven't tried the latter one though.

Re: Cisco ASA logging format change

cvajs — Tue, 20 Mar 2012 01:20:46 GMT

this forum is a pita because it takes a single \ as a special char, so you need to escape them.

%ASA-\w+-\d+-\d+ or even %ASA-S+:

because these will limit the cisco fw match to just the new version syntax vs using a match that matches new and old.

use %ASA-(\w+-)?[67]-\d+

i suggested SED to convert the new syntax back to the old so everything works as is since everything was originally coded for the old ASA syntax, etc.

Re: Cisco ASA logging format change

moorebj — Tue, 19 Feb 2013 20:57:56 GMT

This worked, I had upgraded to 5.0 in Jan and did not notice by cisco_asa source type was missing until I ran an old report today. I put in the transform and restarted and all is well.

Re: Cisco ASA logging format change

kefoster — Thu, 01 Aug 2013 15:19:06 GMT

This got me up and running!

Re: Cisco ASA logging format change

stevechege — Mon, 28 Sep 2020 15:06:38 GMT

Thanks, this helped a lot. I had two instances of Spunk and the transforms.conf fixed formatting issue. Without the fix, it was hard to search for source/destination ports and source/destination IPs.

Older version.(After upgrade to version 6.0)

nano /opt/splunk/etc/apps/Splunk_CiscoFirewalls/local/transforms.conf

Newer version.

nano /opt/splunk/etc/apps/Splunk_for_CiscoASA/local/transforms.conf

Re: Cisco ASA logging format change

amalamalpm — Thu, 08 Oct 2015 09:37:37 GMT

Try the following command

   no logging emblem

Actually there is no change in format.
Please reply to this, if it is correct or not.