All Apps and Add-ons
Highlighted

Splunk Add-on for Cisco ASA: Why is the Syslog server used as the host name, not the ASA Device Name? How do I fix this?

Communicator

I currently have Splunk 6.2.3 running, and successfully receiving data for ASA's and ISE via the Cisco Security Suite (latest) with add-ons for each as required (also latest).

The issue I have is that while my ASA host-names appear inside of the logs themselves, reporting shows them all under one host in CSS, that host-name being my syslog server.

Here is an example of a raw log from syslog:

Jul  6 15:21:35 myasa1 %ASA-6-302020: Built outbound ICMP connection for faddr 192.168.1.112/0 gaddr 10.10.10.11/3244 laddr 10.10.10.11/3244

My syslog server is running a Universal Forwarder. Its inputs.conf looks like this:

[monitor:///syslog-data/asa-fw.log]
source=syslog
sourcetype=cisco:asa
host =

I am unable to place each ASA's logs into a separate file, so I am hoping for some other solution.
My ESA data, which did not contain my Ironport host-names, was separated into separate files, based on host-name, but I cannot do that here.

BTW, my individual ASA hosts are showing up as "dvc", but this field is not in use for my reporting, and I really do not want to rewrite all of the great reports that CSS provides.

Thanks in advance,

-mi

0 Karma
Highlighted

Re: Splunk Add-on for Cisco ASA: Why is the Syslog server used as the host name, not the ASA Device Name? How do I fix this?

Champion

Maybe the answer here can help you out. Although it is a different problem, the solution could work for you as well: you just set the host field explicitly to what is transmitted as host in the syslog data.

0 Karma
Highlighted

Re: Splunk Add-on for Cisco ASA: Why is the Syslog server used as the host name, not the ASA Device Name? How do I fix this?

Communicator

Thank you, but I wasn't able to find a solution in the link provided; interesting information though.

I would like to point out that my ASA's are not entirely configured per the app's guide, the guide states to configure syslog in the following manner:

hostname(config)# logging host interfacename ipaddress [tcp[/port] | udp[/port]] [format emblem]

I have everything setup as shown, except for "format emblem". Before I go ahead and change anything, I believe "format emblem" will increase logging, does anyone know if this would address my issue?

Thank you,

-mi

0 Karma

Re: Splunk Add-on for Cisco ASA: Why is the Syslog server used as the host name, not the ASA Device Name? How do I fix this?

Champion

Unfortunately, I'm not really knowledgable about ASA configuration, but a quick look at the docs says this only changes the format of the log, not the verbosity. Was the guide specifically written for logging ASA into splunk, or is that a general guide? Either way, you could try it and see how the logs look in the new format. If the EMBLEM format places the host value in the syslog data, the above mentioned method could allow you to extract it.

Is there something else in the raw data coming from the ASA that you could use to identify the actual host?

0 Karma
Highlighted

Re: Splunk Add-on for Cisco ASA: Why is the Syslog server used as the host name, not the ASA Device Name? How do I fix this?

Communicator

Yes, I've re-written the searching to use "dvc" versus "host", and all of the canned reports are now behaving as expected, and showing individual ASA's.

I am going to reconfigure my ASA's this weekend to use format emblem, and I will see if that resolves this matter; if now I will leave this as is.

On another note, is there a way to associate "dvc" to "host" somehere in my local directory, versus having to rewrite searches? The reason I am asking is to avoid something breaking in future app upgrades.

I will report my findings back to this thread.

Regards,

-mi

0 Karma
Highlighted

Re: Splunk Add-on for Cisco ASA: Why is the Syslog server used as the host name, not the ASA Device Name? How do I fix this?

Champion

If you wanted me to answer your question, yes there is a way to set the host field - it's the method mentioned in the link above. If your data contains some information on "dvc", why don't you just use the method mentioned there to set the host field to the value of dvc?

0 Karma
Highlighted

Re: Splunk Add-on for Cisco ASA: Why is the Syslog server used as the host name, not the ASA Device Name? How do I fix this?

Communicator

That's what I did, I just don't want an upgrade to force me to have to rewrite all of the searches.

In any case, I'll post to this thread the results of setting format emblem; hopefully that would resolve everything.

0 Karma
Highlighted

Re: Splunk Add-on for Cisco ASA: Why is the Syslog server used as the host name, not the ASA Device Name? How do I fix this?

Communicator

I've reconfigured ASA firewalls to log in the "emblem" format, and the results are the same.

I am going to keep my changes in a local folder, hoping to alleviate future upgrade issues, and revert to default format.

Thanks,

-mi

0 Karma
Highlighted

Re: Splunk Add-on for Cisco ASA: Why is the Syslog server used as the host name, not the ASA Device Name? How do I fix this?

Communicator

I've modified one of my ASA's, changing logging type from default to format emblem; still can't find what the difference is.

In any case. my logs all look the same, even though one of mt ASA's were changed.

*Jul 16 07:26:26 **192.168.90.1** %ASA-6-305013: Built outbound TCP connection 1822868392 for outside:62.17.99.58/843 (54.172.27.58/843) to inside:192.168.33.106/52621 (192.168.234.100/55618)*

Should I look at using 'regex_host' in inputs.conf? Should I modify local/props.conf on my indexer?

Also, while I'd prefer my logs to show a hostname vs. an IP, I'll take the IP right now since all I am currently able to get is the hostname of the syslog collector...

Thanks all,

-mi

0 Karma
Highlighted

Re: Splunk Add-on for Cisco ASA: Why is the Syslog server used as the host name, not the ASA Device Name? How do I fix this?

Champion

What are your settings in props and transforms at the moment?

0 Karma