All Apps and Add-ons

Cisco Security Suite app not extracting Host details

tollops
Explorer

Hi;

We have multiple Cicso ASA's sending in rsyslog data to a rsyslog server.
Rsyslog separates the data from them into /var/log/firewalls.log

The "Splunk Add-on for Cisco ASA v3.0.0" is reading the above firewalls.log file
[monitor:///var/log/firewalls.log]
host_segment = 4
source = cisco:asa
sourcetype = cisco:asa
disabled = false
index = firewalls

and the data is being pushed into the firewalls index, and the "Cisco Security Suite v3.0.3"
is showing the data.

The only problem is the data is all being showed as host=splunk-server-hostname
and not the sending firewall's hostname

below is an example of the log info coming from the ASA's

2014-06-19T15:27:32.308605+10:00 dov-asa5540-ra-6d-01.company.com.au %ASA-6-302016: Teardown UDP connection 271626409 for inside:10.64.18.181/57586 to inside:10.10.167.239/9297 duration 0:02:01 bytes 16637

2014-06-19T15:27:31.080466+10:00 dov-asa5540-ra-6d-01.company.com.au %ASA-4-419002: Duplicate TCP SYN from inside:10.244.33.128/59137 to inside:10.10.164.218/139 with different initial sequence number

2014-06-19T06:46:59+10:00 gblon01aggfwl01.company.com.au %ASA-5-106100: access-list inside_access_in denied tcp inside/10.246.26.82(61902) -> outside/192.168.1.21(9100) hit-cnt 1 first hit [0xbe9efe96, 0x0]

Trevor..

0 Karma

tollops
Explorer

(Comment not an Answer - comment field not big enough)

I was just playing with the "Interactive field extractor" with the live data, and realised that not all data has the format of above.
Some hosts are sending data with their ip address inplace of the hostname, See second example below.

2014-06-23T15:47:06.974558+10:00 dov-asa5540-ra-6d-01.company.com.au %ASA-6-302014: Teardown TCP connection 276095923 for outside:10.10.169.155/3125 to inside:10.68.3.12/8080 duration 0:00:00 bytes 17152 TCP FINs (carolt)

2014-06-23T15:47:06.939720+10:00 10.121.156.10 %ASA-4-106023: Deny tcp src inside:10.250.168.104/51617 dst outside:23.146.27.163/80 by access-group "inside_access_in" [0xbe9efe96, 0x0]

So a minor change of plans.
I need a regex to pull from after the first white space to the start of the second white space, and regardless of if it's an ip or FQDN then use that as the hostname..

0 Karma

jconger
Splunk Employee
Splunk Employee

You will need to tell Splunk to override the host field. Here's how -> http://docs.splunk.com/Documentation/Splunk/latest/Data/overridedefaulthostassignments

vqd361
Path Finder

@jconger, so if I understand correctly, when using a stanza like that described in tollops' question above, I can safely omit the source line since I am explicitly specifying the sourcetype. Is that correct? If so, I believe that will fix tollops' problem since source and host_segment don't work together in this instance.

0 Karma

jconger
Splunk Employee
Splunk Employee

@vqd361 you can use source to automatically select the correct sourcetype in the Cisco ASA Add-on. You don't have to use that as the source, but you will need to force the sourcetype as specified in the documentation in order for the Cisco Security Suite dashboards to work.

0 Karma

vqd361
Path Finder

@jconger, what's the purpose of setting source = cisco:asa in the stanza?

0 Karma

tollops
Explorer

That helped and gave me some pointers, but my regex needs some work. All I'm trying to pull out is dov-asa5540-ra-6d-01 from the below line.

2014-06-19T15:27:31.080466+10:00 dov-asa5540-ra-6d-01.company.com.au %ASA-4-419002: Duplicate TCP SYN from inside:10.244.33.128/59137 to inside:10.10.164.218/139 with different initial sequence number

I'm trying to work out the regex to pull the first word after the space, delimited by the "."

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.