All Apps and Add-ons

Cisco Firewall Add-on - empty results

ahammond
Explorer

In Security Suite under Firewall > Overview search shows no results, viewing the Inspect shows search eventtype="cisco_firewall" | bin _time span=5m | stats count by eventtype, src_ip, dest_ip, host,log_level_desc,event_desc, _time

If I remove each transform filter one at a time I find that neither log_level_desc or event_desc will return results, as if they do not exist in the indexed data. If I remove them both then results are displayed.

Where do I start looking?

bpad
New Member

My Sourcetype is 'cicso__asa' after fixing the regex, but in "Cisco Firewall overview" for example the field event_desc shows somethin like this:

\"Deny protocol src [interface_name:sourceaddress/source_port] dst interfacename:dest_address/dest_port [type {string}, code {code}] by accessgroup aclID\"

The other fields get extracted correctly. Perhaps someone has a hint?
Where ist the field event_desc defined? Can i manually edit it?
Thanks in advance

Bpad

0 Karma

bpad
New Member

Mine is also v8.2. What Versions are other people using? This ASA plugin is great and i hope i someone can help to fix this?!

0 Karma

cvajs
Contributor

i notice this too but my data is from v8.2, must be an extraction issue in the base app?

0 Karma

cvajs
Contributor

if its newer ASA then maybe you need to fix the regex for this source type
see http://splunk-base.splunk.com/answers/42936/cisco-asa-logging-format-change

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.