Up until recently, the InfoSec app VPN dashboards were populating just fine. Recently however they stopped and upon further investigation, it seems like data from our Cisco ASAs are not being extracted correctly. After some troubleshooting I backed up the Splunk_TA_cisco-asa folder and reinstalled the add-on from Splunkbase.
One of the fields that is not being extracted is message_id; Going to the transforms and copying the regex for one of the message_id fields I was able to match events to it, but for some reason Splunk is not extracting it.
The issue continues even after the fresh install of the add-on.
Issue has been resolved, the issue is that my ASA's send the logs with the word 'session' in between ASA & the log level. After updating the following stanzas in the transforms.conf it started extracting everything as expected. For anyone that runs across the issue of ASA logs not being CIM-compliant and having tags/actions auto-applied, check the following:
You get an upvote just for helping; how 'bout that!?
But no, the ASA version has not changed; what's changed is Splunk, apps & add-ons have been upgraded. But like I said, going to the Splunk_TA_cisco-asa/default/transforms.conf and copying the REGEX from below, Splunk matches it to events in search but the field is not extracted thus causing eventtypes not to work which in-turn cause CIM tags not to be applied correctly.
[cisco_asa_message_id_722041]
REGEX = -722041:\s*TunnelGroup\s+(?:\<\s*)?(?<tunnel_group>[^\>\s]+)(?:\s*\>)?\s+GroupPolicy\s+(?:\<\s*)?(?<group_policy>[^\>\s]+)(?:\s*\>)?\s+User\s+(?:\<\s*)?(?<user>[^\>\s]+)(?:\s*\>)?\s+IP\s+(?:\<\s*)?(?<src_ip>[^\>\s]+)(?:\s*\>)?
Issue has been resolved, the issue is that my ASA's send the logs with the word 'session' in between ASA & the log level. After updating the following stanzas in the transforms.conf it started extracting everything as expected. For anyone that runs across the issue of ASA logs not being CIM-compliant and having tags/actions auto-applied, check the following: