All Apps and Add-ons

Will the Splunk Add-on for Cisco ASA apply for parsing the new log format (NGFW)?

Path Finder

We are introducing some ASAs with the unified NGFW images into our environment. The log format is different than the standard ASAs. Will the same TA (Splunk Add-on for Cisco ASA) apply for parsing the new log format?

0 Karma
1 Solution

Contributor

You will need to download and install the Splunk Add-on for Cisco FireSIGHT. It has the parsing support for the Cisco Next-Generation Firewall (NGFW) logs.

View solution in original post

Contributor

You will need to download and install the Splunk Add-on for Cisco FireSIGHT. It has the parsing support for the Cisco Next-Generation Firewall (NGFW) logs.

View solution in original post

Path Finder

I will install the app later this week and will report back. Thanks for the info.

0 Karma

Path Finder

Worked great... Just needed to add TZ=UTC to the props.conf to normalize the time.

0 Karma

Contributor

Do you have any sample events? We can just take a peak in the transforms file to see if the regex is there.

0 Karma

Path Finder
Apr 28 15:00:00 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 131.x.x.x, SrcPort: 63942, DstPort: 443, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: Start, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: MS Online, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 367, ResponderBytes: 58, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://login.live.com
Apr 28 15:00:06 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 157.x.x.x, SrcPort: 63943, DstPort: 443, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: End, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Microsoft Update, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 377, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://sls.update.microsoft.com
Apr 28 15:00:19 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 10.x.x.x, SrcPort: 443, DstPort: 64206, TCPFlags: 0x0, EgressInterface: outside, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: Start, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 2785675782, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown
Apr 28 15:00:19 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 65.x.x.x, SrcPort: 63944, DstPort: 443, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: End, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Microsoft, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 383, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://watson.telemetry.microsoft.com
Apr 28 15:00:20 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 64.x.x.x, OriginalClientIP: ::, DstIP: 10.x.x.x, SrcPort: 443, DstPort: 55013, TCPFlags: 0x0, IngressInterface: outside, EgressInterface: inside, IngressZone: Test_Network, EgressZone: Ingress_Zone_Name, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: Start, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 2785734629, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown
Apr 28 15:00:35 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 216.x.x.x, SrcPort: 53401, DstPort: 9090, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: End, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 66, ResponderBytes: 54, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown
Apr 28 15:00:35 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 216.x.x.x, SrcPort: 55020, DstPort: 9090, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: End, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 66, ResponderBytes: 54, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown
Apr 28 15:00:35 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 216.x.x.x, SrcPort: 53401, DstPort: 9090, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: End, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 66, ResponderBytes: 54, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown
Apr 28 15:00:39 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 131.x.x.x, SrcPort: 63947, DstPort: 443, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: Start, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: MS Online, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 367, ResponderBytes: 58, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://login.live.com
Apr 28 15:00:45 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 157.x.x.x, SrcPort: 63948, DstPort: 443, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: Start, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Microsoft Update, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 377, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://sls.update.microsoft.com
0 Karma