topic Re: Cisco ASA versus FTD parsing in Splunk Search

Cisco ASA versus FTD parsing

FPERVIL — Fri, 01 Mar 2024 18:50:36 GMT

We have both Cisco ASA and FTD firewalls. The ASA is parsing fine where the appropriate fields are extracted. As for the FTD logs, I don't get the same treatment for the data. I downloaded the Cisco Firepower Threat Defense FTD sourcetype app and installed it on the search heads because I only had the Splunk Add-on for Cisco ASA. That didn't change anything.

Mar 1 18:44:20 USxx-xx-FW01 : %ASA-6-302014: Teardown TCP connection 3111698504 for wan:208.87.237.180/8082 to cm-data:12.11.60.44/60113 duration 0:00:00 bytes 327 TCP FINs from wan

Mar 1 13:45:09 MXxx-EG-FTD01 : %FTD-6-302014: Teardown TCP connection 125127915 for CTL_Internet:194.26.135.230/41903 to CTL_Internet:123.243.123.218/33445 duration 0:00:30 bytes 0 Failover primary closed

As you can see the msgs are identical for both FWs but the ASA has lots of interest fields where the FTD only has a few.

Re: Cisco ASA versus FTD parsing

Richfez — Fri, 01 Mar 2024 21:32:49 GMT

I don't think that's the right app to read those events. In any case, the app you have installed had its latest release in 2018 and references no Splunk version higher than 7.1, so it looks abandoned.

Instead, it looks like the "Cisco Secure eStreamer Client Add-On for Splunk" (https://splunkbase.splunk.com/app/3662) might extract fields from records with FTD in them. It seems like it focuses on events 430001, 430002, 430003 and 430005. Still, it's worth a shot.

Indeed, right now you could see if you have those - try a search like

index=<your cisco index> FTD (430001 OR 430002 OR 430003 OR 430005)

If that returns a few items (or lots), then the app I mention above should turn that into useful fields.

If that search does NOT return any events, ... well, widen the time frame. These seem like they might be less common events, not run of the mill "every tcp session makes 42 zillion of them" so it's possible there's only a few per day or something.

In any case, happy splunking and I hope you find what you need!

-Rich

Re: Cisco ASA versus FTD parsing

yuanliu — Fri, 01 Mar 2024 21:36:59 GMT

Splunk doesn't apply any inherent extraction for data as you illustrated. (By default, it extracts key-value pairs connected by equal (=) sign, and some structured raw events such as JSON.) If you see more fields in ASA feeds, it must be the doing of Splunk Add-on for Cisco ASA. You need to open up that add-on and see what it is doing. Then, you can copy it if that is within copyrights. Or you can develop your own extraction strategy to emulate what Splunk Add-on for Cisco ASA does, or more.

Given that the two data sources are so close in format, there is also a possibility that Splunk Add-on for Cisco ASA has some configuration you can tweak to include the FTD data type. Consult its documentation, or contact the developers.

This board used to have an app forum that I no longer see. Maybe it is now Splunk Dev? You can if Splunk Add-on for Cisco ASA developers are in that forum.

Re: Cisco ASA versus FTD parsing

gurlest — Fri, 16 Aug 2024 14:52:13 GMT

We have had this same issue in our environment. The fix we have come up with is to create an app for the 4300X events that are specific to cisco:ftd where we parse out all the fields (you can use kvmode=auto for these, but some fields like url don't get extracted correctly since they oftentimes have '=' in the url string).

In order to address the other message IDs that match number/format with cisco:asa, we make a 'custom' app and update it each time we update Splunk_TA_cisco-asa. In that app (we named it Splunk_TA_cisco-asa-ftd) we just copy over the /default/ and /local/ props.conf files and change the sourcetype declaration from [cisco:asa] to [cisco:ftd].

The other files (like transforms) aren't needed because splunk already has those definitions in the Splunk_TA_cisco-asa app, you just need to tell it to do all the eval/extract/transform/etc functions from props.conf for the other sourcetype. If you use eventtypes, you should also update that. We updated Splunk_TA_cisco-asa/local/eventtypes.conf to use 'sourcetype IN (cisco:asa, cisco:ftd)' to address that issue in the 'standard' app.

I know that seems like a lot of customization, but after doing the customization / upgrade a few times, it's not so bad. 🙂