I am currently running Splunk 6.2.3 with the Splunk Add-on for Cisco ASA version 3.2.4.
When I look at Cisco ASA firewall events (sourcetype=cisco:asa) I have noticed that the dvc field is properly populated with the firewall context. However, this is not the case with the host field. The following are examples:
source = /syslog_hot/splunk/asa/ent_firewall.log
dvc = admin
host = admin
source = /syslog_hot/splunk/asa/ent_firewall.log
dvc = campus
host = campus
source = /syslog_hot/splunk/asa/asavpn.log
dvc = 5585vpn
host = cc-syslog01.mycompany.edu
I attempted looking for entries in the Splunk Add-on for Cisco ASA transforms.conf which extract the host field, but did not find one. It thus appears that the host field is using the default transforms.conf located in /opt/splunk/etc/system/default.
If I am understanding this correctly, the REGEX in the default transforms.conf is not matching, and as a result the host field is being populated with the hostname of the syslog server.
What would be the best solution for this? Should I create entries in the local/transforms.conf and local/props.conf of the add-on to properly extract/assign the host field?
Thank you.
I made the following changes to the Splunk_TA_cisco-asa app on our Indexers, and it appears to have solved/fixed the issue:
local/transforms.conf
[force_host_for_cisco_asa]
REGEX = ^(?:[^ \n]*\s{1,2}){3}([^ ]+)
FORMAT = host::$1
DEST_KEY = MetaData:Host
===============================
local/props.conf
[source::...asa/asavpn.log]
TRANSFORMS-force_host_for_cisco_asa = force_host_for_cisco_asa
As long as I had my hostname in the ASA configured correct, as well as this command:
asa(config)#logging device-id hostname
The Add-on was able to pull out the hostname accurately. I got it working by monitoring the log file on an rsyslog server, and only assigning "syslog" as the sourcetype.
I made the following changes to the Splunk_TA_cisco-asa app on our Indexers, and it appears to have solved/fixed the issue:
local/transforms.conf
[force_host_for_cisco_asa]
REGEX = ^(?:[^ \n]*\s{1,2}){3}([^ ]+)
FORMAT = host::$1
DEST_KEY = MetaData:Host
===============================
local/props.conf
[source::...asa/asavpn.log]
TRANSFORMS-force_host_for_cisco_asa = force_host_for_cisco_asa