All Apps and Add-ons

Cisco Security Suite & Add-on for Cisco ASA: Do I need to create an index for ASA data or can I keep it in the main index?

Explorer

Hi all,

New to SPlunk...(Running single physical box on Win2008R2)

We need to capture data from Cisco ASA.

We have installed Cisco Security Suite (3.0.3) and then I followed the documentation and also installed the Splunk Add-on for Cisco ASA.

Is it now just a matter of configuring the ASA to send the data over to splunk by running?

hostname(config)# logging host interfacename ipaddress [tcp[/port] | udp[/port]] [format emblem]

Do I need to create an dedicate index to store the data or can I keep on the "main" index? If so how do I do that?

Thanks in anticipation.

0 Karma

Explorer

Hi @RB51 / @demonio316,

You'll need to configure your ASA to send Syslog with either UDP or TCP, not forgetting that you'll need to have your data input configured on your Splunk server to listen for the syslog data.

Settings > Data Inputs > TCP or UDP.
There is nothing wrong with using the default ports when configuring your new inputs, but I would think about any potential future inputs and perhaps use a non default port for Syslog (UDP 514). This gives you flexibility when creating more at a later date.

The benefit to TCP over UDP is that you stand a better chance of receiving the data. I'm not a networking guru so I'll describe UDP as "fire and forget" if it gets there... it gets there, if not... oh well. TCP is much cleverer and will get the data there (As you're working with ASA, you may well already know this, apologies if this covers old ground).

At the point of creating your data input you will need to specify the sourcetype as cisco:asa
-Set Sourcetype : Manual
- In the text box "cisco:asa" (Without "")

Now, you can choose to keep the data in the main index or create another index, that's entirely up to you. The Cisco security suite will work regardless as it looks for the sourcetype of cisco:ios, not the index that is being used.
Again I would think about how this will scale in the future and would you potentially like to separate you firewall data from any other data you are going to index.

If you do choose to use a separate index you'll need to create a new one: Settings > Indexes > New. From the sounds of it at this point you'll only need to enter the Index Name and not worry about the other fields. Now that you've created your new index you can specify this on your data input (Settings > Data Inputs).
Edit the input previously created to receive your syslog data.

An example follows on the assumption you are using a TCP input and a separate index ... Again you can tweak this for your environment:

TCP Port: 8514
Accept connections from all hosts?: Yes
Source name override: N/A
Set Sourcetype : Manual
Sourcetype : Cisco:asa
MoreSettings : Tick
Host : DNS
Index : RB-Cisco-IOS

Save

With the above your Splunk server would now be listening on TCP Port 8514, any data received on that port will have the sourcetype set as Cisco:asa (as needed by the Cisco app) and the data placed in the RB-Cisco-IOS index.

If you do create a new Index, as mentioned previously you will need to ensure it is searchable by default.
Settings > Access Controls > Roles
At this stage I'm guessing you have the default roles, and you'll be a member of the Admin role.... If this is true select the admin role, otherwise select the role that you are a member of.
Scroll down to Indexes Searched by default and then select the newly created index from the "Available Indexes" window.
Note: Repeat this process if other users who you want to search the data are in different roles from the one(s) added above.

With the above you can get a rough idea of why separate indexes might be a good thing over time, you can put in place security by only allowing certain users with certain roles to search different data types within Splunk...

I'm not an ASA expert, but I believe you'll need the following commands (from this reference guide: http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/...)

ciscoasa(config)# logging host interfacename splunkserver-ip tcp 8514 format emblem
ciscoasa(config)# logging trap errors
ciscoasa(config)# logging permit-hostdown

With the above commands, tcp can be replaced with udp as can the port specified (8514) replace these with whatever you choose to create as your data input.
logging trap errors - Errors can be replaced with another of the logging levels. Errors is a good place to start but if you see you are missing data from the app, change the level to get greater detail... Be warned upping the level will impact your licence.
Logging permit-hostdown - In my mind, this is a must. If for whatever reason the Splunk server is unreachable new connections will still be allowed through your ASA.

I really hope this helps, this was quite rushed as I'm at work and I've only been working with the Cisco app for a short while. Splunk is a great tool and I really hope it works well for you!

If you have any questions, please do reply and I'll do my best to monitor this thread.

Tom

Splunk Employee
Splunk Employee

Splunk is super flexible. By default, all the ASA data will go to the main index, but you can create a new index if you want for your ASA data. To get started, I recommend keeping everything in main to ensure everything is working.

If you do create a new index, you will need to do one of the following:

  • edit the eventtypes.conf file to specify your new index name
  • edit your Splunk role to search your new index by default

New Member

Are anyone's questions actually answered???

0 Karma

Explorer

jconger, apologies for this late reply as I was without access to computers for the past 4 days...

thank you for the info provided. In fact it seems that it is NOT working at the moment.

I will need to get this resolved first as per your suggestion.

0 Karma