All Apps and Add-ons

How to extract DAP information on the Cisco ASA add-on v5.0.0

pvarelab
Explorer

We recently upgrade the Add-on for Cisco ASA from versión 3.4.0 to 5.0.0.

In versión 3.4.0 KV_MODE was set to Auto and this meant that a lot of informatión from messages from the DAP (734*) was extracted into a named field. I.e. for this log:

Jun 24 13:52:39 fwhost %ASA-7-734003: DAP: User username, Addr A.B.C.D: Session Attribute endpoint.anyconnect.publicmacaddress = "aa-bb-cc-dd-ee-ff"

a field named endpoint_anyconnect_publicmacaddress was created with value aa-bb-cc-dd-ee-ff.

In versión 5.0.0 KV_MODE is none, and they put an extraction in place that creates two different fields:

endpoint_attribute_name with value endpoint.anyconnect.publicmacaddress
endpoint_value with value aa-bb-cc-dd-ee-ff

When looking to just a log this is no problem, but we typically put toghether several logs via the transaction command grouping by user, src, dvc, so all messages from the same connection are grouped.

Now we get two multivalued fields with no aparent (ths might be my ignorance speaking) way to match the attribute name with the value.

I've tried putting mvlist=true on the transaction command and it seems to help, but all other fields get repeated N times (for all messages that get added in the transaction).

Is there a simpler way to be able to match attribute name with the corresponding value after executing transaction with mvlist=false?

Labels (2)
0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...