All Apps and Add-ons

Cisco Firewall Add-on - empty results

Explorer

In Security Suite under Firewall > Overview search shows no results, viewing the Inspect shows search eventtype="cisco_firewall" | bin _time span=5m | stats count by eventtype, src_ip, dest_ip, host,log_level_desc,event_desc, _time

If I remove each transform filter one at a time I find that neither log_level_desc or event_desc will return results, as if they do not exist in the indexed data. If I remove them both then results are displayed.

Where do I start looking?

New Member

My Sourcetype is 'cicso__asa' after fixing the regex, but in "Cisco Firewall overview" for example the field event_desc shows somethin like this:

\"Deny protocol src [interface_name:sourceaddress/source_port] dst interfacename:dest_address/dest_port [type {string}, code {code}] by accessgroup aclID\"

The other fields get extracted correctly. Perhaps someone has a hint?
Where ist the field event_desc defined? Can i manually edit it?
Thanks in advance

Bpad

0 Karma

New Member

Mine is also v8.2. What Versions are other people using? This ASA plugin is great and i hope i someone can help to fix this?!

0 Karma

Contributor

i notice this too but my data is from v8.2, must be an extraction issue in the base app?

0 Karma

Contributor

if its newer ASA then maybe you need to fix the regex for this source type
see http://splunk-base.splunk.com/answers/42936/cisco-asa-logging-format-change

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!