Does anyone know which syslog event IDs are needed...

sorenmaigaard · ‎10-31-2014

Hi

We are grabbing data from our Cisco ASA devices successfully. However, no CIM compliant data about VPN logins is created.
My guess is that we are not getting the right syslog events from the ASA.

Does anyone know which syslog event IDs are needed for Splunk to correctly identify login events for VPN on an ASA?

Thanks!
Best
Soren

jcoates_splunk · ‎10-31-2014

hi,

VPN events:

jcoates-mba:Splunk_TA_cisco-asa jcoates$ pwd
/Users/jcoates/Downloads/Splunk_TA_cisco-asa
jcoates-mba:Splunk_TA_cisco-asa jcoates$ find . -name *.conf | xargs grep -in vpn
./default/props.conf:41:REPORT-vpn = cisco_fw_group, cisco_fw_user, cisco_fw_ip, cisco_fw_disconnect, cisco_fw_dap, cisco_fw_dap_2, cisco_fw_722
./default/props.conf:42:REPORT-vpn-2 = cisco_fw_authentication_action, cisco_fw_session_type, cisco_fw_assigned_ip, cisco_fw_user-identity
./default/props.conf:126:REPORT-vpn = cisco_fw_group, cisco_fw_user, cisco_fw_ip, cisco_fw_disconnect, cisco_fw_dap, cisco_fw_dap_2, cisco_fw_722
./default/props.conf:127:REPORT-vpn-2 = cisco_fw_authentication_action, cisco_fw_session_type, cisco_fw_assigned_ip, cisco_fw_user-identity
./default/transforms.conf:167:# VPN
jcoates-mba:Splunk_TA_cisco-asa jcoates$

CIM is looking for tag=network tag=session tag=vpn (http://docs.splunk.com/Documentation/CIM/4.0.0/User/NetworkSessions)

jcoates-mba:Splunk_TA_cisco-asa jcoates$ find . -name *.conf | xargs grep -in tag
./default/eventtypes.conf:3:#tags = authentication
./default/eventtypes.conf:7:#tags = network communicate
./default/eventtypes.conf:11:#tags = attack ids
jcoates-mba:Splunk_TA_cisco-asa jcoates$ cat default/tags.conf 
[eventtype=cisco_connection]
network = enabled
communicate = enabled

[eventtype=cisco_authentication]
authentication = enabled

[eventtype=cisco_intrusion]
attack = enabled
ids = enabled
jcoates-mba:Splunk_TA_cisco-asa jcoates$

This looks like it doesn't have VPN support. Can we get some details on the logs? Feel free to contact me offline, I'd like to get some specific samples.

Does anyone know which syslog event IDs are needed for Splunk to correctly identify login events for VPN on an ASA device?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor