We are introducing some ASAs with the unified NGFW images into our environment. The log format is different than the standard ASAs. Will the same TA (Splunk Add-on for Cisco ASA) apply for parsing the new log format?
You will need to download and install the Splunk Add-on for Cisco FireSIGHT. It has the parsing support for the Cisco Next-Generation Firewall (NGFW) logs.
You will need to download and install the Splunk Add-on for Cisco FireSIGHT. It has the parsing support for the Cisco Next-Generation Firewall (NGFW) logs.
I will install the app later this week and will report back. Thanks for the info.
Worked great... Just needed to add TZ=UTC to the props.conf to normalize the time.
Do you have any sample events? We can just take a peak in the transforms file to see if the regex is there.
Apr 28 15:00:00 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 131.x.x.x, SrcPort: 63942, DstPort: 443, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: Start, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: MS Online, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 367, ResponderBytes: 58, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://login.live.com
Apr 28 15:00:06 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 157.x.x.x, SrcPort: 63943, DstPort: 443, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: End, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Microsoft Update, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 377, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://sls.update.microsoft.com
Apr 28 15:00:19 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 10.x.x.x, SrcPort: 443, DstPort: 64206, TCPFlags: 0x0, EgressInterface: outside, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: Start, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 2785675782, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown
Apr 28 15:00:19 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 65.x.x.x, SrcPort: 63944, DstPort: 443, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: End, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Microsoft, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 383, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://watson.telemetry.microsoft.com
Apr 28 15:00:20 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 64.x.x.x, OriginalClientIP: ::, DstIP: 10.x.x.x, SrcPort: 443, DstPort: 55013, TCPFlags: 0x0, IngressInterface: outside, EgressInterface: inside, IngressZone: Test_Network, EgressZone: Ingress_Zone_Name, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: Start, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 2785734629, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown
Apr 28 15:00:35 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 216.x.x.x, SrcPort: 53401, DstPort: 9090, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: End, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 66, ResponderBytes: 54, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown
Apr 28 15:00:35 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 216.x.x.x, SrcPort: 55020, DstPort: 9090, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: End, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 66, ResponderBytes: 54, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown
Apr 28 15:00:35 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 216.x.x.x, SrcPort: 53401, DstPort: 9090, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: End, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 66, ResponderBytes: 54, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown
Apr 28 15:00:39 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 131.x.x.x, SrcPort: 63947, DstPort: 443, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: Start, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: MS Online, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 367, ResponderBytes: 58, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://login.live.com
Apr 28 15:00:45 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 157.x.x.x, SrcPort: 63948, DstPort: 443, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: Start, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Microsoft Update, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 377, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://sls.update.microsoft.com