All Apps and Add-ons

Splunk Add-on for Cisco ASA: Where and how should I specify the input to search on my index?

snemiro_514
Path Finder

Hi all,

I have several network devices sending syslog events to Splunk to an index called "network". Some of the devices are ASA firewalls.

I have installed the Cisco Security Suite and the add-on for ASA (Splunk_TA_cisco-asa).

I cannot find where (and how) should I tell the add-on to search on my "network" index.

I've created a file called inputs.conf under /opt/splunk/etc/apps/Splunk_TA_cisco-asa/local with the text index = network, restarted splunk, but nothing is shown in the application.

If I search index = network, I can see all my events, including the ASA ones.

Any tip/clue?

Thanks!!!

0 Karma
1 Solution

aakwah
Builder

Hello,

I've installed the app and find from dashboard that some reports are using the eventtype "cisco-security-events" as per the following search query (I got it by clicking isnpect icon under any report from the dashboard):

search eventtype=cisco-security-events dest_ip!="255.255.255.255" dest_ip!="0.0.0.0" src_ip="*" | top src_ip

So you should assign eventtype to all the logs inside network index, application already created many event types as per the following url from web interface:

http://x.x.x.x:8000/en-US/manager/Splunk_CiscoSecuritySuite/saved/eventtypes

I located the files under /opt/splunk/etc/ that contains the eventtypes and found 2 files as per the following:

[root@node1]# cat /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite/default/eventtypes.conf
[cisco-security-events]
search = sourcetype="cisco:*"

[root@node1]# cat /opt/splunk/etc/apps/Splunk_TA_cisco-asa/default/eventtypes.conf
[cisco_authentication]
search = sourcetype="cisco:*" action="success" OR action="failure"
#tags = authentication

[cisco_connection]
search = sourcetype="cisco:*" (action="allowed" OR action="blocked" OR action="unknown" OR action="teardown")
#tags = network communicate

[cisco_intrusion]
search = (sourcetype="cisco:asa" OR sourcetype="cisco:pix") message_id="4000*"
#tags = attack ids

[cisco_malware]
search = sourcetype="cisco:asa" vendor_category="malware"
#tags = malware operations

[cisco_vpn]
search = sourcetype="cisco:*" (vendor_class="vpn" OR vendor_definition="*vpn*")
#tags = network vpn

[cisco_vpn_start]
search = sourcetype="cisco:*" (message_id=716001 OR message_id=722022 OR message_id=713119 OR message_is=713049)
#tags = start session

[cisco_vpn_end]
search = sourcetype="cisco:*" (message_id=716002 OR message_id=722023 OR message_id=113019)
#tags = end session

[cisco_asa_configuration_change]
search = sourcetype="cisco:asa*" (message_id=111010 OR change_class=*)
#tags = change

so you should edit the above 2 files with your sourcetype of the logs under network index, I'll assume that your sourcetype is "syslog" so you should edit the files as per the following:

search = sourcetype="cisco:*" should be changed to search = sourcetype="syslog"

Then restart searchhead.

Regards,
Ahmed

View solution in original post

0 Karma

aakwah
Builder

Hello,

I've installed the app and find from dashboard that some reports are using the eventtype "cisco-security-events" as per the following search query (I got it by clicking isnpect icon under any report from the dashboard):

search eventtype=cisco-security-events dest_ip!="255.255.255.255" dest_ip!="0.0.0.0" src_ip="*" | top src_ip

So you should assign eventtype to all the logs inside network index, application already created many event types as per the following url from web interface:

http://x.x.x.x:8000/en-US/manager/Splunk_CiscoSecuritySuite/saved/eventtypes

I located the files under /opt/splunk/etc/ that contains the eventtypes and found 2 files as per the following:

[root@node1]# cat /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite/default/eventtypes.conf
[cisco-security-events]
search = sourcetype="cisco:*"

[root@node1]# cat /opt/splunk/etc/apps/Splunk_TA_cisco-asa/default/eventtypes.conf
[cisco_authentication]
search = sourcetype="cisco:*" action="success" OR action="failure"
#tags = authentication

[cisco_connection]
search = sourcetype="cisco:*" (action="allowed" OR action="blocked" OR action="unknown" OR action="teardown")
#tags = network communicate

[cisco_intrusion]
search = (sourcetype="cisco:asa" OR sourcetype="cisco:pix") message_id="4000*"
#tags = attack ids

[cisco_malware]
search = sourcetype="cisco:asa" vendor_category="malware"
#tags = malware operations

[cisco_vpn]
search = sourcetype="cisco:*" (vendor_class="vpn" OR vendor_definition="*vpn*")
#tags = network vpn

[cisco_vpn_start]
search = sourcetype="cisco:*" (message_id=716001 OR message_id=722022 OR message_id=713119 OR message_is=713049)
#tags = start session

[cisco_vpn_end]
search = sourcetype="cisco:*" (message_id=716002 OR message_id=722023 OR message_id=113019)
#tags = end session

[cisco_asa_configuration_change]
search = sourcetype="cisco:asa*" (message_id=111010 OR change_class=*)
#tags = change

so you should edit the above 2 files with your sourcetype of the logs under network index, I'll assume that your sourcetype is "syslog" so you should edit the files as per the following:

search = sourcetype="cisco:*" should be changed to search = sourcetype="syslog"

Then restart searchhead.

Regards,
Ahmed

0 Karma

snemiro_514
Path Finder

If I take a look at the events, the sourcetype says "cisco:asa".

I think the issue is with the index, not the sourcetype.

Where should I specify the index for the search? At the eventtype file? (I'm feeding an index called "network")

0 Karma

aakwah
Builder

Strange .. I can't find any reference to index in the app, anyway we can make this workaround, under each eventtype replace search = sourcetype="cisco:asa*" with search = index=network then restart splunk.

I think this should work.

Regards,
Ahmed

0 Karma

snemiro_514
Path Finder

I did something like that, just inserted "index=network" after search, so my eventtype is now:

search = index=network sourcetype="cisco:asa*"

And it's working now.

0 Karma

aakwah
Builder

Great news !

Could you please accept the answer ..

Regards,
Ahmed

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...