All Apps and Add-ons

Splunk Add-on for Cisco ASA: Why is the Syslog server used as the host name, not the ASA Device Name? How do I fix this?

Communicator

I currently have Splunk 6.2.3 running, and successfully receiving data for ASA's and ISE via the Cisco Security Suite (latest) with add-ons for each as required (also latest).

The issue I have is that while my ASA host-names appear inside of the logs themselves, reporting shows them all under one host in CSS, that host-name being my syslog server.

Here is an example of a raw log from syslog:

Jul  6 15:21:35 myasa1 %ASA-6-302020: Built outbound ICMP connection for faddr 192.168.1.112/0 gaddr 10.10.10.11/3244 laddr 10.10.10.11/3244

My syslog server is running a Universal Forwarder. Its inputs.conf looks like this:

[monitor:///syslog-data/asa-fw.log]
source=syslog
sourcetype=cisco:asa
host =

I am unable to place each ASA's logs into a separate file, so I am hoping for some other solution.
My ESA data, which did not contain my Ironport host-names, was separated into separate files, based on host-name, but I cannot do that here.

BTW, my individual ASA hosts are showing up as "dvc", but this field is not in use for my reporting, and I really do not want to rewrite all of the great reports that CSS provides.

Thanks in advance,

-mi

0 Karma

Communicator

Try only assigning sourcetype = syslog:

[monitor:///syslog-data/asa-fw.log]
diabled = false
sourcetype = syslog

Also - make sure the hostname in the ASA is configured correct, as well as this command:

asa(config)#logging device-id hostname

The Add-on should pull out the hostname accurately. This worked for me. I didn't edit transforms or props. Let me know if it works!

0 Karma

Champion

Maybe the answer here can help you out. Although it is a different problem, the solution could work for you as well: you just set the host field explicitly to what is transmitted as host in the syslog data.

0 Karma

Communicator

I've modified one of my ASA's, changing logging type from default to format emblem; still can't find what the difference is.

In any case. my logs all look the same, even though one of mt ASA's were changed.

*Jul 16 07:26:26 **192.168.90.1** %ASA-6-305013: Built outbound TCP connection 1822868392 for outside:62.17.99.58/843 (54.172.27.58/843) to inside:192.168.33.106/52621 (192.168.234.100/55618)*

Should I look at using 'regex_host' in inputs.conf? Should I modify local/props.conf on my indexer?

Also, while I'd prefer my logs to show a hostname vs. an IP, I'll take the IP right now since all I am currently able to get is the hostname of the syslog collector...

Thanks all,

-mi

0 Karma

Champion

What are your settings in props and transforms at the moment?

0 Karma

Communicator

On UF, or Indexer?

0 Karma

Champion

Indexer. For non-structured inputs, props and transforms are never needed on a UF, because it doesn't have the pipelines that use those settings.

0 Karma

Communicator

My indexers contain whatever props.conf and transforms.conf that came shipped with Splunk_TA_cisco-asa; none of which contain the term host.

Should I have modified them in any way?

I can post, but they are both long.

0 Karma

Champion

I just had a look at the configuration in that app myself, so no need to post them any more. I still think you can just add a configuration to set the host value as suggested in my initial answer by adding something like this to your props.conf:

[syslog]
TRANSFORMS-force_hostname = force_hostname

and in transforms.conf:

[force_hostname]
DEST_KEY = MetaData:Host
REGEX = (?:\d{2}.){3}(\S+)
FORMAT = host::$1

This should put "myasa1" from your sample event into the host field.

0 Karma

Communicator

Thank you, but I wasn't able to find a solution in the link provided; interesting information though.

I would like to point out that my ASA's are not entirely configured per the app's guide, the guide states to configure syslog in the following manner:

hostname(config)# logging host interface_name ip_address [tcp[/port] | udp[/port]] [format emblem]

I have everything setup as shown, except for "format emblem". Before I go ahead and change anything, I believe "format emblem" will increase logging, does anyone know if this would address my issue?

Thank you,

-mi

0 Karma

Champion

Unfortunately, I'm not really knowledgable about ASA configuration, but a quick look at the docs says this only changes the format of the log, not the verbosity. Was the guide specifically written for logging ASA into splunk, or is that a general guide? Either way, you could try it and see how the logs look in the new format. If the EMBLEM format places the host value in the syslog data, the above mentioned method could allow you to extract it.

Is there something else in the raw data coming from the ASA that you could use to identify the actual host?

0 Karma

Communicator

Yes, I've re-written the searching to use "dvc" versus "host", and all of the canned reports are now behaving as expected, and showing individual ASA's.

I am going to reconfigure my ASA's this weekend to use format emblem, and I will see if that resolves this matter; if now I will leave this as is.

On another note, is there a way to associate "dvc" to "host" somehere in my local directory, versus having to rewrite searches? The reason I am asking is to avoid something breaking in future app upgrades.

I will report my findings back to this thread.

Regards,

-mi

0 Karma

Champion

If you wanted me to answer your question, yes there is a way to set the host field - it's the method mentioned in the link above. If your data contains some information on "dvc", why don't you just use the method mentioned there to set the host field to the value of dvc?

0 Karma

Communicator

That's what I did, I just don't want an upgrade to force me to have to rewrite all of the searches.

In any case, I'll post to this thread the results of setting format emblem; hopefully that would resolve everything.

0 Karma

Communicator

I've reconfigured ASA firewalls to log in the "emblem" format, and the results are the same.

I am going to keep my changes in a local folder, hoping to alleviate future upgrade issues, and revert to default format.

Thanks,

-mi

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!