In Security Suite under Firewall > Overview search shows no results, viewing the Inspect shows search eventtype="cisco_firewall" | bin _time span=5m | stats count by eventtype, src_ip, dest_ip, host,log_level_desc,event_desc, _time
If I remove each transform filter one at a time I find that neither log_level_desc or event_desc will return results, as if they do not exist in the indexed data. If I remove them both then results are displayed.
Where do I start looking?
My Sourcetype is 'cicso__asa' after fixing the regex, but in "Cisco Firewall overview" for example the field event_desc shows somethin like this:
\"Deny protocol src [interface_name:sourceaddress/source_port] dst interfacename:dest_address/dest_port [type {string}, code {code}] by accessgroup aclID\"
The other fields get extracted correctly. Perhaps someone has a hint?
Where ist the field event_desc defined? Can i manually edit it?
Thanks in advance
Bpad
Mine is also v8.2. What Versions are other people using? This ASA plugin is great and i hope i someone can help to fix this?!
i notice this too but my data is from v8.2, must be an extraction issue in the base app?
if its newer ASA then maybe you need to fix the regex for this source type
see http://splunk-base.splunk.com/answers/42936/cisco-asa-logging-format-change