All Apps and Add-ons

How to extract DAP information on the Cisco ASA add-on v5.0.0

pvarelab
Path Finder

We recently upgrade the Add-on for Cisco ASA from versión 3.4.0 to 5.0.0.

In versión 3.4.0 KV_MODE was set to Auto and this meant that a lot of informatión from messages from the DAP (734*) was extracted into a named field. I.e. for this log:

Jun 24 13:52:39 fwhost %ASA-7-734003: DAP: User username, Addr A.B.C.D: Session Attribute endpoint.anyconnect.publicmacaddress = "aa-bb-cc-dd-ee-ff"

a field named endpoint_anyconnect_publicmacaddress was created with value aa-bb-cc-dd-ee-ff.

In versión 5.0.0 KV_MODE is none, and they put an extraction in place that creates two different fields:

endpoint_attribute_name with value endpoint.anyconnect.publicmacaddress
endpoint_value with value aa-bb-cc-dd-ee-ff

When looking to just a log this is no problem, but we typically put toghether several logs via the transaction command grouping by user, src, dvc, so all messages from the same connection are grouped.

Now we get two multivalued fields with no aparent (ths might be my ignorance speaking) way to match the attribute name with the value.

I've tried putting mvlist=true on the transaction command and it seems to help, but all other fields get repeated N times (for all messages that get added in the transaction).

Is there a simpler way to be able to match attribute name with the corresponding value after executing transaction with mvlist=false?

Labels (2)
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...