All Apps and Add-ons

Why is the Cisco Security Suite firewall dashboard map not populating with geo location IPs?

pmovrich
Explorer

hello,

Hopefully someone can help me out here. I have a fresh install of splunk 6.2.2 running on a fresh install of win7x64 bit. I've installed the cisco security suite (v3.1) with just the Firewall add-on enabled. Both the Cisco ASA TA (v3.2.1) and MAXMIND(v1.0.6) have been installed and configured as far as i can tell. I installed the add-ons via the splunk apps web gui. The data input for the ASA has configured in splunk as a udp syslog source.

On the firewall dashboard i can see all the tables being populated but not the world map with the geo location IPs.

Any help on getting the map populated with data would be appreciated.

Thanks

0 Karma
1 Solution

pmovrich
Explorer

Hello thank you for your replies.

From them i was able to get the search query from the maps part as mentioned above and get further along with troubleshooting this.

clicking on the job inspector button i was able to get the search query as mentioned in your replies.

search eventtype=cisco-security-events dest_ip!="255.255.255.255" dest_ip!="0.0.0.0" src_ip="*" | eval isLocalIP=case(cidrmatch("10.0.0.0/8", src_ip),1,cidrmatch("172.12.0.0/12", src_ip),1,cidrmatch("192.168.0.0/16", src_ip),1,cidrmatch("169.254.0.0/16", src_ip),1,cidrmatch("fe80::/64", src_ip),1,cidrmatch("fec0::/10", src_ip),1,cidrmatch("fc00::/7", src_ip),1,src_ip=="0.0.0.0",1,isnotnull(src_ip),0) | where isLocalIP!=1 AND isnotnull(threat_reason) AND threat_reason!="-"  | stats  count by src_ip  | iplocation  src_ip  | geostats  latfield=lat longfield=lon count by Country

On the job inspector screen it indicates that it fails up to this part.

stats  count by src_ip  | iplocation  src_ip  | geostats  latfield=lat longfield=lon count by Country

i was able to figure out that splunk/cisco app isn't parsing my firewall syslog events as eventtype=cisco-security-events but as eventtype=cisco_connection

I tried swapping the cisco-security-events for cisco_connection in the original search query but it failed as well.

i was able to run this query and get the long and lats of the source IP addresses, but couldn't figure out how to stick the results to a map.

sourcetype="cisco:asa" src_ip="*" | iplocation  src_ip | stats  count by src_ip  | iplocation  src_ip  | geostats  latfield=lat longfield=lon

i'm thinking this is because i'm not using a ASA/PIX firewall but using a cisco router to to foward these syslogs and the format may be a bit different between the two. I was hoping that this wasn't going to cause a issue because i thought these syslogs are identical.

any ideas if this issue can be easily fixed or best route on fixing this?

Thanks

View solution in original post

0 Karma

pmovrich
Explorer

Hello thank you for your replies.

From them i was able to get the search query from the maps part as mentioned above and get further along with troubleshooting this.

clicking on the job inspector button i was able to get the search query as mentioned in your replies.

search eventtype=cisco-security-events dest_ip!="255.255.255.255" dest_ip!="0.0.0.0" src_ip="*" | eval isLocalIP=case(cidrmatch("10.0.0.0/8", src_ip),1,cidrmatch("172.12.0.0/12", src_ip),1,cidrmatch("192.168.0.0/16", src_ip),1,cidrmatch("169.254.0.0/16", src_ip),1,cidrmatch("fe80::/64", src_ip),1,cidrmatch("fec0::/10", src_ip),1,cidrmatch("fc00::/7", src_ip),1,src_ip=="0.0.0.0",1,isnotnull(src_ip),0) | where isLocalIP!=1 AND isnotnull(threat_reason) AND threat_reason!="-"  | stats  count by src_ip  | iplocation  src_ip  | geostats  latfield=lat longfield=lon count by Country

On the job inspector screen it indicates that it fails up to this part.

stats  count by src_ip  | iplocation  src_ip  | geostats  latfield=lat longfield=lon count by Country

i was able to figure out that splunk/cisco app isn't parsing my firewall syslog events as eventtype=cisco-security-events but as eventtype=cisco_connection

I tried swapping the cisco-security-events for cisco_connection in the original search query but it failed as well.

i was able to run this query and get the long and lats of the source IP addresses, but couldn't figure out how to stick the results to a map.

sourcetype="cisco:asa" src_ip="*" | iplocation  src_ip | stats  count by src_ip  | iplocation  src_ip  | geostats  latfield=lat longfield=lon

i'm thinking this is because i'm not using a ASA/PIX firewall but using a cisco router to to foward these syslogs and the format may be a bit different between the two. I was hoping that this wasn't going to cause a issue because i thought these syslogs are identical.

any ideas if this issue can be easily fixed or best route on fixing this?

Thanks

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

IOS fW is completely different in the formatting of the messages, so this app won't work out of the box for this. You're source type shouldn't be marked as cisco:asa. It should be cisco:ios.

Do a search in app.splunk.com for CIsco IOS and you can find the TA for parsing IOS messages. You can modify it a bit and get the dashboards to work.

For your search, add count by Country.. | geostats latfield=lat longfield=long count by Country

That should get you mapping.

pmovrich
Explorer

esix_splunk thanks for your help on this. i was able to get the map working for my search. i'll take a look at getting the TA for IOS setup.

Thanks again!

0 Karma

jconger
Splunk Employee
Splunk Employee

This is the base search for that panel:

eventtype=cisco-security-events dest_ip!="255.255.255.255" dest_ip!="0.0.0.0" src_ip="*" | eval isLocalIP=`local-ip-list(src_ip)` | where isLocalIP!=1 AND isnotnull(threat_reason) AND threat_reason!="-" | stats count by src_ip | iplocation src_ip | geostats latfield=lat longfield=lon count by Country

Do you get results from that? If not, try taking a piece out at a time to see where the breakdown happens. For example, try this search:

eventtype=cisco-security-events dest_ip!="255.255.255.255" dest_ip!="0.0.0.0" src_ip="*" 

If that returns results, add the eval statement next like this:

eventtype=cisco-security-events dest_ip!="255.255.255.255" dest_ip!="0.0.0.0" src_ip="*"  | eval isLocalIP=`local-ip-list(src_ip)`

Keep adding parts of the back base search to determine what is going on.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

The geo lookup location for this app isnt using the MAXMind add on, that was deprecated since Splunk 6.0 I believe. The latest app will not be using maxmind, but instead it will be using iplookup and geostats.

Refer to documentation : http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Geostats

There are examples there.

In the Cisco app, it's using this to map external IP addresses based on internal lookups. If you open the map in search, you should be able to see the search query used. Im guessing that perhaps either your IPs are all private, or its unable to connect and get the ip geo data for this.

0 Karma

mikaelbje
Motivator

FYI It doesn't need to connect to get that data as the IP to location mappings are stored locally in the Splunk directory. Can't remember if it's in lib/ or share/ 🙂

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...