Solved: Re: Splunk Add-on for Cisco ASA: How to edit my co...

TheFrunkster · ‎12-12-2016

This seems to be a common and easy problem to resolve, but I can't seem to get to the right answer.

Recently I installed the "Splunk Add-on for Cisco ASA" in my environment's indexers and search heads. Data from several syslog sources is received by my universal forwarder and sent over to my indexers.

The ASA data is coming in as sourcetype syslog. The add-on's default props.conf and transforms.conf take care of renaming the sourcetype to cisco:asa.

This is the relevant section of the add-on's default props.conf file:

[syslog]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_
for_cisco_fwsm

[cisco:asa]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 30
SHOULD_LINEMERGE = false
KV_MODE = auto

Relevant section of the default transforms.conf file:

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = %ASA-\d-\d{6}
FORMAT = sourcetype::cisco:asa

The configuration shown above works fine. However, when I apply filtering of events I do not want in the local files, they do not work.

Local props.conf file:

[cisco:asa]
TRANSFORMS-ASA_filters= removeDNS

Local transforms.conf file:

[removeDNS]
REGEX = [/(]53[)\s]
DEST_KEY = queue
FORMAT = nullQueue

I have used configurations similar to these before. I just can't explain why the filtering does not happen. I can only think the sourcetype is still syslog when the filter needs to be applied.

Any help on this issue will be extremely appreciated.

Regards,
Frunkster

beatus · ‎12-13-2016

TheFrunkster,

I suspect you have to do your filtering at the syslog sourcetype, before the sourcetype rename. I'd recommend making the regex for [removeDNS] a bit more specific to the ASA logs then migrate the TRANSFORMS to [syslog].

View solution in original post

beatus · ‎12-13-2016

TheFrunkster,

I suspect you have to do your filtering at the syslog sourcetype, before the sourcetype rename. I'd recommend making the regex for [removeDNS] a bit more specific to the ASA logs then migrate the TRANSFORMS to [syslog].

bwooden · ‎12-13-2016

Beatus is right. Your sourcetype is transforming after the nullQueue routing. You should be able to resolve by making the nullQueue routing regex more specific and moving it to the source stanza in props. Something like this...

transforms.conf

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = %ASA-\d-\d{6}
FORMAT = sourcetype::cisco:asa

[removeDNS]
REGEX = %ASA-\d-\d{6}.*[/(]53[)\s]
DEST_KEY = queue
FORMAT = nullQueue

props.conf

[syslog]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
TRANSFORMS-asa_toss_dns = removeDNS

[cisco:asa]
KV_MODE = auto

TheFrunkster · ‎01-13-2017

I know it has been a while since this answer was posted. The issue was as I suspected and as you guys answered. But I wanted to let you guys know that it worked like charm. Thanks very much for your help regarding this issue.

aaraneta_splunk · ‎01-22-2017

@TheFrunkster - Glad to hear that the help provided by beatus and bwooden helped resolve this issue. Please don't forget to resolve this post by clicking "Accept" and upvoting anything that was helpful to you.

Splunk Add-on for Cisco ASA: How to edit my configurations to filter events I do not want in local files?

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability