All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Add-on for Cisco ASA 3.2.4: How to configure transforms.conf to properly extract the host field?

adamblock2
Path Finder
‎02-11-2016 01:45 PM

I am currently running Splunk 6.2.3 with the Splunk Add-on for Cisco ASA version 3.2.4.

When I look at Cisco ASA firewall events (sourcetype=cisco:asa) I have noticed that the dvc field is properly populated with the firewall context. However, this is not the case with the host field. The following are examples:

source = /syslog_hot/splunk/asa/ent_firewall.log
dvc = admin
host = admin

source = /syslog_hot/splunk/asa/ent_firewall.log
dvc = campus
host = campus

source = /syslog_hot/splunk/asa/asavpn.log
dvc = 5585vpn
host = cc-syslog01.mycompany.edu

I attempted looking for entries in the Splunk Add-on for Cisco ASA transforms.conf which extract the host field, but did not find one. It thus appears that the host field is using the default transforms.conf located in /opt/splunk/etc/system/default.

If I am understanding this correctly, the REGEX in the default transforms.conf is not matching, and as a result the host field is being populated with the hostname of the syslog server.

What would be the best solution for this? Should I create entries in the local/transforms.conf and local/props.conf of the add-on to properly extract/assign the host field?

Thank you.

Reply
1 Solution
Solved! Jump to solution
Solution

adamblock2
Path Finder
‎02-19-2016 08:24 AM

I made the following changes to the Splunk_TA_cisco-asa app on our Indexers, and it appears to have solved/fixed the issue:

local/transforms.conf

[force_host_for_cisco_asa]
REGEX = ^(?:[^ \n]*\s{1,2}){3}([^ ]+)
FORMAT = host::$1
DEST_KEY = MetaData:Host

===============================

local/props.conf

[source::...asa/asavpn.log]
TRANSFORMS-force_host_for_cisco_asa = force_host_for_cisco_asa

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ejwade
Contributor
‎02-06-2018 05:24 PM

As long as I had my hostname in the ASA configured correct, as well as this command:

asa(config)#logging device-id hostname

The Add-on was able to pull out the hostname accurately. I got it working by monitoring the log file on an rsyslog server, and only assigning "syslog" as the sourcetype.

0 Karma
Reply
Solved! Jump to solution
Solution

adamblock2
Path Finder
‎02-19-2016 08:24 AM

I made the following changes to the Splunk_TA_cisco-asa app on our Indexers, and it appears to have solved/fixed the issue:

local/transforms.conf

[force_host_for_cisco_asa]
REGEX = ^(?:[^ \n]*\s{1,2}){3}([^ ]+)
FORMAT = host::$1
DEST_KEY = MetaData:Host

===============================

local/props.conf

[source::...asa/asavpn.log]
TRANSFORMS-force_host_for_cisco_asa = force_host_for_cisco_asa
0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...