All Apps and Add-ons

Cisco Security Suite: Why is Splunk Add-on for Cisco ASA lookup definition for "action" not working?

Richfez
SplunkTrust
SplunkTrust

EDIT : New information at the end.

When I run a search over our ASA, all the fields defined by the splunk_ta_cisco-asa work except one. I have severity lookups and vendor classes, but I have no "action" defined even though it should be. This is important because a lot of graphs in the network side of the Cisco Security Suite require "action" to be defined in order to report.

I'm not an expert by any means, but I spent time last week trying to track down how it should be doing what it doesn't quite do, but I still can't figure out why it's not working.

In props.conf, the lookup for action is defined right next to several lookups that work fine (like the severity lookup).
LOOKUP-cisco-asa-action_lookup = cisco_action_lookup vendor_action OUTPUT action

In transforms.conf, again next to others that work fine, the cisco_action_lookup is defined.
[cisco_action_lookup]
filename = cisco_action_lookup.csv

So, one of the broken searches is this:
eventtype=cisco-firewall action="*" | timechart count by action

It is easy to modify it to be a working search and test that the lookup actually works by just manually specifying the lookup ahead of search action="":
`eventtype=cisco-firewall | lookup cisco_action_lookup vendor_action OUTPUT action | search action="
" | timechart count by action`

The fixed search returns data with action fully populated, unlike the unfixed search.

UPDATE : I have found out more and though it still doesn't make sense to me, perhaps it will to someone.

If I aliased the output field at the end so:
LOOKUP-cisco_action_lookup = cisco_action_lookup vendor_action OUTPUT action AS aa_action
then aa_action shows up just fine.

When I again remove the alias, action disappears from the output.

UNLESS I run a wide enough search (a day's worth of data or more) then I can sometimes find ONE "action" set to "unknown". So when aliased to aa_action, it shows up on about 20-35% of the events depending on what time period you pick. When not aliased, I get approximately one "action" per million events and it's set to unknown. (And it is indeed an odd line).

Can "action" be being unset somehow? Early on I grepped through the etc folders making sure, but I could have missed something. How best to find such a thing, if this is what's happening?

0 Karma
1 Solution

joelyon
Explorer

I also had the same issue with the Splunk_TA_cisco-asa ver 3.2.

issue earlier today... I believe the problem with version 3.2 is that two LOOKUP statements at the end of the cisco:asa sourcetype section were incomplete, causing the "action" LOOKUP to not be exercised correctly....

Here are the corrected/completed  LOOKUP statements:
LOOKUP-cisco_asa_change_analysis = cisco_asa_change_analysis_lookup message_id OUTPUTNEW change_class change_description action change_type object_type
LOOKUP-cisco-asa_severity_expansion = cisco_asa_syslog_severity_lookup log_level OUTPUT severity_level description

This corrected the problem for me.

View solution in original post

joelyon
Explorer

I also had the same issue with the Splunk_TA_cisco-asa ver 3.2.

issue earlier today... I believe the problem with version 3.2 is that two LOOKUP statements at the end of the cisco:asa sourcetype section were incomplete, causing the "action" LOOKUP to not be exercised correctly....

Here are the corrected/completed  LOOKUP statements:
LOOKUP-cisco_asa_change_analysis = cisco_asa_change_analysis_lookup message_id OUTPUTNEW change_class change_description action change_type object_type
LOOKUP-cisco-asa_severity_expansion = cisco_asa_syslog_severity_lookup log_level OUTPUT severity_level description

This corrected the problem for me.

Richfez
SplunkTrust
SplunkTrust

Changing those two lines did the trick!

0 Karma

vmicovic2
Explorer

hi, i have latest version, 3.4.0 and have similar problem...
3 errors occurred while the search was executing. Therefore, search results might be incomplete. Hide errors.

Could not load lookup=LOOKUP-cisco-asa-action_lookup
Could not load lookup=LOOKUP-cisco-pix-action_lookup
Could not load lookup=LOOKUP-cisco_fwsm_action_lookup

i am not sure where i need to fix this, can you please explain?

tnx.

Richfez
SplunkTrust
SplunkTrust

@vmocovic2,
You are probably better off asking a new question, since this question was closed and answered 4 years ago.

(Also - I'd look at your various lookup permissions , but if you post this with some supporting information as a new question I'm sure you'll get a LOT more detail to help you solve your problem faster and better!)

0 Karma

rtrobock
New Member

Looks like in 3.2.4, the severity_expansion lookup is still not complete

0 Karma

jordanperks
Path Finder

I am currently experiencing the exact same issue. If, in the automatic lookup, I change the was the action field is displayed to "action1" I get an action1 field. If I go back to action I get nothing.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Yes, I've opened a case on this because it seems that it's not quite a "Cisco Security Suite" problem, more of just a LOOKUP issue. I have done a bit more work trying to decide where the problem lies:

I have found that disabling the other couple of apps that "create" an action field and commenting out all the remaining places it might get created does not fix the issue.

I also found that recreating that lookup in etc/apps/search/local/transforms.conf and props.conf, then removing them entirely from the Cisco ASA TA also does not make them work (except for that once-in-a-million event that appears to be tagged correctly as "action=unknown"

I may need to update the answer, here, or perhaps close this one and re-open a new answers question excluding (or minimizing) the Cisco Security Suite side of things.

0 Karma

jordanperks
Path Finder

Everything you tried, I also tried with the same results as you.

0 Karma

jordanperks
Path Finder

I have found a workaround that will populate the data model/ES dashboards effectively, but still do not have any luck in search. For now I have a built a quick macro for manually invoking the lookup in search. I would be very interested in what you find out.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...