topic Re: Help with search to monitor a firewall in Splunk Search

Help with search to monitor a firewall

splunker969 — Mon, 30 Oct 2017 18:38:31 GMT

We are trying to monitor Firewall events from' X ' Environment coming to Splunk. I took the all hosts (600 hosts) related to 'X' environment and created lookup. I am able to see all events with below search but the search is too expensive and takes almost 15 minutes. For security reasons I took all names of index and Ips .When i search I included them. Can any one help with the search?

Search -

 index=test1 OR index=test2*  OR index=test3* action=blocked dest=* NOT(msg="Deny TCP (no connection) from * flags RST  on interface *") (src_ip=*/* OR src_ip=*/* OR src_ip=*/* OR src_ip=*/*) | lookup hostlist.csv IP as dest | search list=y  | dedup dest_port src_ip dest_ip host rule
    | table  dest_port src_ip dest_ip host rule list

Re: Help with search to monitor a firewall

MuS — Tue, 31 Oct 2017 01:39:34 GMT

Sorry that this is not an answer more some ideas, but

“Some trusted people were chatting...here you go. Don’t mind the ‘what the hell is this’ commentary” 🙂

If you wonder about who the trusted people were, some of these guys https://www.splunk.com/blog/2017/09/26/the-splunktrust-2018-in-all-its-fezzed-glory.html

Re: Help with search to monitor a firewall

HiroshiSatoh — Tue, 29 Sep 2020 16:27:00 GMT

What is a lookup for ”lookup hostlist.csv IP as dest ”?

 index=test1 OR index=test2*  OR index=test3* action=blocked dest=* NOT(msg="Deny TCP (no connection) from * flags RST  on interface *") (src_ip=*/* OR src_ip=*/* OR src_ip=*/* OR src_ip=*/*) [|inputlookup hostlist.csv|fields IP|rename IP as dest ]

Use TERM for IP search
src_ip=TERM(1.1.1.1) OR src_ip=TERM(1.1.1.2)

Using fields reduces the required fields.
table xxx,xxx->fields xxx,xxx

Re: Help with search to monitor a firewall

splunker969 — Wed, 01 Nov 2017 14:23:37 GMT

Thanks @ MuS .I very lucky and happy that Splunk trust team replied me .I believe 600 hosts so it is taking that long to check hosts for only 4 hours of data .

Re: Help with search to monitor a firewall

splunker969 — Wed, 01 Nov 2017 14:25:09 GMT

Hi @ HiroshiSatoh .I performed above query you suggested .I am getting no results .

Re: Help with search to monitor a firewall

MuS — Thu, 02 Nov 2017 03:33:29 GMT

Okay some options here:

be as precise as possible in the base search and try to avoid * or NOT instead search for exactly what you want
after you done above, run the search in Fast Mode
is the lookup used to only get events for hosts in the lookup? If yes, do what @cmerriman suggests and try to add this to your base search [ | inputlookup hotlist.csv | dedup host | table host | format ] this will create a group of ((host=x) OR (host=y) OR ... and speeds up the search

cheers, MuS

Re: Help with search to monitor a firewall

erickyi — Thu, 02 Nov 2017 04:12:46 GMT

try searching for ASA instead. you may need to define a lookup csv containing your ASA codes
e.g. my csv contains

106027  %ASA-4-106027   Error   Yes Port
107001  %ASA-1-107001   Error   Yes Attempt
107002  %ASA-1-107002   Error   Yes Attempt
109017  %ASA-4-109017   Error   Yes DoS


https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog.html

Re: Help with search to monitor a firewall

splunker969 — Tue, 07 Nov 2017 16:14:13 GMT

Thanks @Mus