All Apps and Add-ons

Cisco ASA TA message_id not being extracted

Karma1991
Explorer

Up until recently, the InfoSec app VPN dashboards were populating just fine. Recently however they stopped and upon further investigation, it seems like data from our Cisco ASAs are not being extracted correctly. After some troubleshooting I backed up the Splunk_TA_cisco-asa folder and reinstalled the add-on from Splunkbase.

One of the fields that is not being extracted is message_id; Going to the transforms and copying the regex for one of the message_id fields I was able to match events to it, but for some reason Splunk is not extracting it.

The issue continues even after the fresh install of the add-on.

Labels (1)
Tags (3)
0 Karma
1 Solution

Karma1991
Explorer

Issue has been resolved, the issue is that my ASA's send the logs with the word 'session' in between ASA & the log level. After updating the following stanzas in the transforms.conf it started extracting everything as expected. For anyone that runs across the issue of ASA logs not being CIM-compliant and having tags/actions auto-applied, check the following:

  • Change #1
    • From 
      • [force_sourcetype_for_cisco_asa]
      • REGEX = %(?:ASA|FTD)-\d+-\d{6}
    • To
      • [force_sourcetype_for_cisco_asa]
      • REGEX = %(?:ASA|FTD)-(?:\w*)-\d+-\d{6}
  • Change #2
    • From
      • [cisco_asa_log_level_message_id]
        REGEX = %(?:ASA|FTD)-(?<log_level>\d+)-(?<message_id>\d+)
    • To
      • [cisco_asa_log_level_message_id]
        REGEX = %(?:ASA|FTD)-(?:\w*)-(?<log_level>\d+)-(?<message_id>\d+)

View solution in original post

richgalloway
SplunkTrust
SplunkTrust
Did something change on your ASAs? I new version, perhaps, or maybe an admin changed how logs are created?
Compare the message_id field in your data with that expected by the TA and modify the TA to work with your data.
---
If this reply helps you, Karma would be appreciated.

Karma1991
Explorer

You get an upvote just for helping; how 'bout that!?

But no, the ASA version has not changed; what's changed is Splunk, apps & add-ons have been upgraded. But like I said, going to the Splunk_TA_cisco-asa/default/transforms.conf and copying the REGEX from below, Splunk matches it to events in search but the field is not extracted thus causing eventtypes not to work which in-turn cause CIM tags not to be applied correctly.

[cisco_asa_message_id_722041]
REGEX = -722041:\s*TunnelGroup\s+(?:\<\s*)?(?<tunnel_group>[^\>\s]+)(?:\s*\>)?\s+GroupPolicy\s+(?:\<\s*)?(?<group_policy>[^\>\s]+)(?:\s*\>)?\s+User\s+(?:\<\s*)?(?<user>[^\>\s]+)(?:\s*\>)?\s+IP\s+(?:\<\s*)?(?<src_ip>[^\>\s]+)(?:\s*\>)?

0 Karma

Karma1991
Explorer

Issue has been resolved, the issue is that my ASA's send the logs with the word 'session' in between ASA & the log level. After updating the following stanzas in the transforms.conf it started extracting everything as expected. For anyone that runs across the issue of ASA logs not being CIM-compliant and having tags/actions auto-applied, check the following:

  • Change #1
    • From 
      • [force_sourcetype_for_cisco_asa]
      • REGEX = %(?:ASA|FTD)-\d+-\d{6}
    • To
      • [force_sourcetype_for_cisco_asa]
      • REGEX = %(?:ASA|FTD)-(?:\w*)-\d+-\d{6}
  • Change #2
    • From
      • [cisco_asa_log_level_message_id]
        REGEX = %(?:ASA|FTD)-(?<log_level>\d+)-(?<message_id>\d+)
    • To
      • [cisco_asa_log_level_message_id]
        REGEX = %(?:ASA|FTD)-(?:\w*)-(?<log_level>\d+)-(?<message_id>\d+)
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...