All Apps and Add-ons

How to extract DAP information on the Cisco ASA add-on v5.0.0

pvarelab
Path Finder

We recently upgrade the Add-on for Cisco ASA from versión 3.4.0 to 5.0.0.

In versión 3.4.0 KV_MODE was set to Auto and this meant that a lot of informatión from messages from the DAP (734*) was extracted into a named field. I.e. for this log:

Jun 24 13:52:39 fwhost %ASA-7-734003: DAP: User username, Addr A.B.C.D: Session Attribute endpoint.anyconnect.publicmacaddress = "aa-bb-cc-dd-ee-ff"

a field named endpoint_anyconnect_publicmacaddress was created with value aa-bb-cc-dd-ee-ff.

In versión 5.0.0 KV_MODE is none, and they put an extraction in place that creates two different fields:

endpoint_attribute_name with value endpoint.anyconnect.publicmacaddress
endpoint_value with value aa-bb-cc-dd-ee-ff

When looking to just a log this is no problem, but we typically put toghether several logs via the transaction command grouping by user, src, dvc, so all messages from the same connection are grouped.

Now we get two multivalued fields with no aparent (ths might be my ignorance speaking) way to match the attribute name with the value.

I've tried putting mvlist=true on the transaction command and it seems to help, but all other fields get repeated N times (for all messages that get added in the transaction).

Is there a simpler way to be able to match attribute name with the corresponding value after executing transaction with mvlist=false?

Labels (2)
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...