Hi;
We have multiple Cicso ASA's sending in rsyslog data to a rsyslog server.
Rsyslog separates the data from them into /var/log/firewalls.log
The "Splunk Add-on for Cisco ASA v3.0.0" is reading the above firewalls.log file
[monitor:///var/log/firewalls.log]
host_segment = 4
source = cisco:asa
sourcetype = cisco:asa
disabled = false
index = firewalls
and the data is being pushed into the firewalls index, and the "Cisco Security Suite v3.0.3"
is showing the data.
The only problem is the data is all being showed as host=splunk-server-hostname
and not the sending firewall's hostname
below is an example of the log info coming from the ASA's
2014-06-19T15:27:32.308605+10:00 dov-asa5540-ra-6d-01.company.com.au %ASA-6-302016: Teardown UDP connection 271626409 for inside:10.64.18.181/57586 to inside:10.10.167.239/9297 duration 0:02:01 bytes 16637
2014-06-19T15:27:31.080466+10:00 dov-asa5540-ra-6d-01.company.com.au %ASA-4-419002: Duplicate TCP SYN from inside:10.244.33.128/59137 to inside:10.10.164.218/139 with different initial sequence number
2014-06-19T06:46:59+10:00 gblon01aggfwl01.company.com.au %ASA-5-106100: access-list inside_access_in denied tcp inside/10.246.26.82(61902) -> outside/192.168.1.21(9100) hit-cnt 1 first hit [0xbe9efe96, 0x0]
Trevor..
(Comment not an Answer - comment field not big enough)
I was just playing with the "Interactive field extractor" with the live data, and realised that not all data has the format of above.
Some hosts are sending data with their ip address inplace of the hostname, See second example below.
2014-06-23T15:47:06.974558+10:00 dov-asa5540-ra-6d-01.company.com.au %ASA-6-302014: Teardown TCP connection 276095923 for outside:10.10.169.155/3125 to inside:10.68.3.12/8080 duration 0:00:00 bytes 17152 TCP FINs (carolt)
2014-06-23T15:47:06.939720+10:00 10.121.156.10 %ASA-4-106023: Deny tcp src inside:10.250.168.104/51617 dst outside:23.146.27.163/80 by access-group "inside_access_in" [0xbe9efe96, 0x0]
So a minor change of plans.
I need a regex to pull from after the first white space to the start of the second white space, and regardless of if it's an ip or FQDN then use that as the hostname..
You will need to tell Splunk to override the host field. Here's how -> http://docs.splunk.com/Documentation/Splunk/latest/Data/overridedefaulthostassignments
@jconger, so if I understand correctly, when using a stanza like that described in tollops' question above, I can safely omit the source
line since I am explicitly specifying the sourcetype. Is that correct? If so, I believe that will fix tollops' problem since source and host_segment don't work together in this instance.
@vqd361 you can use source to automatically select the correct sourcetype in the Cisco ASA Add-on. You don't have to use that as the source, but you will need to force the sourcetype as specified in the documentation in order for the Cisco Security Suite dashboards to work.
@jconger, what's the purpose of setting source = cisco:asa
in the stanza?
That helped and gave me some pointers, but my regex needs some work. All I'm trying to pull out is dov-asa5540-ra-6d-01 from the below line.
2014-06-19T15:27:31.080466+10:00 dov-asa5540-ra-6d-01.company.com.au %ASA-4-419002: Duplicate TCP SYN from inside:10.244.33.128/59137 to inside:10.10.164.218/139 with different initial sequence number
I'm trying to work out the regex to pull the first word after the space, delimited by the "."