hello,
Hopefully someone can help me out here. I have a fresh install of splunk 6.2.2 running on a fresh install of win7x64 bit. I've installed the cisco security suite (v3.1) with just the Firewall add-on enabled. Both the Cisco ASA TA (v3.2.1) and MAXMIND(v1.0.6) have been installed and configured as far as i can tell. I installed the add-ons via the splunk apps web gui. The data input for the ASA has configured in splunk as a udp syslog source.
On the firewall dashboard i can see all the tables being populated but not the world map with the geo location IPs.
Any help on getting the map populated with data would be appreciated.
Thanks
Hello thank you for your replies.
From them i was able to get the search query from the maps part as mentioned above and get further along with troubleshooting this.
clicking on the job inspector button i was able to get the search query as mentioned in your replies.
search eventtype=cisco-security-events dest_ip!="255.255.255.255" dest_ip!="0.0.0.0" src_ip="*" | eval isLocalIP=case(cidrmatch("10.0.0.0/8", src_ip),1,cidrmatch("172.12.0.0/12", src_ip),1,cidrmatch("192.168.0.0/16", src_ip),1,cidrmatch("169.254.0.0/16", src_ip),1,cidrmatch("fe80::/64", src_ip),1,cidrmatch("fec0::/10", src_ip),1,cidrmatch("fc00::/7", src_ip),1,src_ip=="0.0.0.0",1,isnotnull(src_ip),0) | where isLocalIP!=1 AND isnotnull(threat_reason) AND threat_reason!="-" | stats count by src_ip | iplocation src_ip | geostats latfield=lat longfield=lon count by Country
On the job inspector screen it indicates that it fails up to this part.
stats count by src_ip | iplocation src_ip | geostats latfield=lat longfield=lon count by Country
i was able to figure out that splunk/cisco app isn't parsing my firewall syslog events as eventtype=cisco-security-events
but as eventtype=cisco_connection
I tried swapping the cisco-security-events for cisco_connection in the original search query but it failed as well.
i was able to run this query and get the long and lats of the source IP addresses, but couldn't figure out how to stick the results to a map.
sourcetype="cisco:asa" src_ip="*" | iplocation src_ip | stats count by src_ip | iplocation src_ip | geostats latfield=lat longfield=lon
i'm thinking this is because i'm not using a ASA/PIX firewall but using a cisco router to to foward these syslogs and the format may be a bit different between the two. I was hoping that this wasn't going to cause a issue because i thought these syslogs are identical.
any ideas if this issue can be easily fixed or best route on fixing this?
Thanks
Hello thank you for your replies.
From them i was able to get the search query from the maps part as mentioned above and get further along with troubleshooting this.
clicking on the job inspector button i was able to get the search query as mentioned in your replies.
search eventtype=cisco-security-events dest_ip!="255.255.255.255" dest_ip!="0.0.0.0" src_ip="*" | eval isLocalIP=case(cidrmatch("10.0.0.0/8", src_ip),1,cidrmatch("172.12.0.0/12", src_ip),1,cidrmatch("192.168.0.0/16", src_ip),1,cidrmatch("169.254.0.0/16", src_ip),1,cidrmatch("fe80::/64", src_ip),1,cidrmatch("fec0::/10", src_ip),1,cidrmatch("fc00::/7", src_ip),1,src_ip=="0.0.0.0",1,isnotnull(src_ip),0) | where isLocalIP!=1 AND isnotnull(threat_reason) AND threat_reason!="-" | stats count by src_ip | iplocation src_ip | geostats latfield=lat longfield=lon count by Country
On the job inspector screen it indicates that it fails up to this part.
stats count by src_ip | iplocation src_ip | geostats latfield=lat longfield=lon count by Country
i was able to figure out that splunk/cisco app isn't parsing my firewall syslog events as eventtype=cisco-security-events
but as eventtype=cisco_connection
I tried swapping the cisco-security-events for cisco_connection in the original search query but it failed as well.
i was able to run this query and get the long and lats of the source IP addresses, but couldn't figure out how to stick the results to a map.
sourcetype="cisco:asa" src_ip="*" | iplocation src_ip | stats count by src_ip | iplocation src_ip | geostats latfield=lat longfield=lon
i'm thinking this is because i'm not using a ASA/PIX firewall but using a cisco router to to foward these syslogs and the format may be a bit different between the two. I was hoping that this wasn't going to cause a issue because i thought these syslogs are identical.
any ideas if this issue can be easily fixed or best route on fixing this?
Thanks
IOS fW is completely different in the formatting of the messages, so this app won't work out of the box for this. You're source type shouldn't be marked as cisco:asa. It should be cisco:ios.
Do a search in app.splunk.com for CIsco IOS and you can find the TA for parsing IOS messages. You can modify it a bit and get the dashboards to work.
For your search, add count by Country.. | geostats latfield=lat longfield=long count by Country
That should get you mapping.
esix_splunk thanks for your help on this. i was able to get the map working for my search. i'll take a look at getting the TA for IOS setup.
Thanks again!
This is the base search for that panel:
eventtype=cisco-security-events dest_ip!="255.255.255.255" dest_ip!="0.0.0.0" src_ip="*" | eval isLocalIP=`local-ip-list(src_ip)` | where isLocalIP!=1 AND isnotnull(threat_reason) AND threat_reason!="-" | stats count by src_ip | iplocation src_ip | geostats latfield=lat longfield=lon count by Country
Do you get results from that? If not, try taking a piece out at a time to see where the breakdown happens. For example, try this search:
eventtype=cisco-security-events dest_ip!="255.255.255.255" dest_ip!="0.0.0.0" src_ip="*"
If that returns results, add the eval statement next like this:
eventtype=cisco-security-events dest_ip!="255.255.255.255" dest_ip!="0.0.0.0" src_ip="*" | eval isLocalIP=`local-ip-list(src_ip)`
Keep adding parts of the back base search to determine what is going on.
The geo lookup location for this app isnt using the MAXMind add on, that was deprecated since Splunk 6.0 I believe. The latest app will not be using maxmind, but instead it will be using iplookup and geostats.
Refer to documentation : http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Geostats
There are examples there.
In the Cisco app, it's using this to map external IP addresses based on internal lookups. If you open the map in search, you should be able to see the search query used. Im guessing that perhaps either your IPs are all private, or its unable to connect and get the ip geo data for this.
FYI It doesn't need to connect to get that data as the IP to location mappings are stored locally in the Splunk directory. Can't remember if it's in lib/ or share/ 🙂