Solved: Cisco ASA TA message_id not being extracted

Karma1991 · ‎07-14-2020

Up until recently, the InfoSec app VPN dashboards were populating just fine. Recently however they stopped and upon further investigation, it seems like data from our Cisco ASAs are not being extracted correctly. After some troubleshooting I backed up the Splunk_TA_cisco-asa folder and reinstalled the add-on from Splunkbase.

One of the fields that is not being extracted is message_id; Going to the transforms and copying the regex for one of the message_id fields I was able to match events to it, but for some reason Splunk is not extracting it.

The issue continues even after the fresh install of the add-on.

Karma1991 · ‎07-15-2020

Issue has been resolved, the issue is that my ASA's send the logs with the word 'session' in between ASA & the log level. After updating the following stanzas in the transforms.conf it started extracting everything as expected. For anyone that runs across the issue of ASA logs not being CIM-compliant and having tags/actions auto-applied, check the following:

Change #1
- From
  - [force_sourcetype_for_cisco_asa]
  - REGEX = %(?:ASA|FTD)-\d+-\d{6}

- To
  - [force_sourcetype_for_cisco_asa]
  - REGEX = %(?:ASA|FTD)-(?:\w*)-\d+-\d{6}
Change #2
- From
  - [cisco_asa_log_level_message_id]
    REGEX = %(?:ASA|FTD)-(?<log_level>\d+)-(?<message_id>\d+)
- To
  - [cisco_asa_log_level_message_id]
    REGEX = %(?:ASA|FTD)-(?:\w*)-(?<log_level>\d+)-(?<message_id>\d+)

View solution in original post

richgalloway · ‎07-14-2020

Did something change on your ASAs? I new version, perhaps, or maybe an admin changed how logs are created?
Compare the message_id field in your data with that expected by the TA and modify the TA to work with your data.

---
If this reply helps you, Karma would be appreciated.

Karma1991 · ‎07-15-2020

You get an upvote just for helping; how 'bout that!?

But no, the ASA version has not changed; what's changed is Splunk, apps & add-ons have been upgraded. But like I said, going to the Splunk_TA_cisco-asa/default/transforms.conf and copying the REGEX from below, Splunk matches it to events in search but the field is not extracted thus causing eventtypes not to work which in-turn cause CIM tags not to be applied correctly.

[cisco_asa_message_id_722041]
REGEX = -722041:\s*TunnelGroup\s+(?:\<\s*)?(?<tunnel_group>[^\>\s]+)(?:\s*\>)?\s+GroupPolicy\s+(?:\<\s*)?(?<group_policy>[^\>\s]+)(?:\s*\>)?\s+User\s+(?:\<\s*)?(?<user>[^\>\s]+)(?:\s*\>)?\s+IP\s+(?:\<\s*)?(?<src_ip>[^\>\s]+)(?:\s*\>)?

Karma1991 · ‎07-15-2020

Issue has been resolved, the issue is that my ASA's send the logs with the word 'session' in between ASA & the log level. After updating the following stanzas in the transforms.conf it started extracting everything as expected. For anyone that runs across the issue of ASA logs not being CIM-compliant and having tags/actions auto-applied, check the following:

Change #1
- From
  - [force_sourcetype_for_cisco_asa]
  - REGEX = %(?:ASA|FTD)-\d+-\d{6}

- To
  - [force_sourcetype_for_cisco_asa]
  - REGEX = %(?:ASA|FTD)-(?:\w*)-\d+-\d{6}
Change #2
- From
  - [cisco_asa_log_level_message_id]
    REGEX = %(?:ASA|FTD)-(?<log_level>\d+)-(?<message_id>\d+)
- To
  - [cisco_asa_log_level_message_id]
    REGEX = %(?:ASA|FTD)-(?:\w*)-(?<log_level>\d+)-(?<message_id>\d+)

Cisco ASA TA message_id not being extracted

configuration

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM