All Apps and Add-ons
Highlighted

Will the Splunk Add-on for Cisco ASA apply for parsing the new log format (NGFW)?

Path Finder

We are introducing some ASAs with the unified NGFW images into our environment. The log format is different than the standard ASAs. Will the same TA (Splunk Add-on for Cisco ASA) apply for parsing the new log format?

0 Karma
Highlighted

Re: Will the Splunk Add-on for Cisco ASA apply for parsing the new log format (NGFW)?

Contributor

Do you have any sample events? We can just take a peak in the transforms file to see if the regex is there.

0 Karma
Highlighted

Re: Will the Splunk Add-on for Cisco ASA apply for parsing the new log format (NGFW)?

Path Finder
Apr 28 15:00:00 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 131.x.x.x, SrcPort: 63942, DstPort: 443, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: Start, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: MS Online, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 367, ResponderBytes: 58, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://login.live.com
Apr 28 15:00:06 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 157.x.x.x, SrcPort: 63943, DstPort: 443, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: End, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Microsoft Update, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 377, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://sls.update.microsoft.com
Apr 28 15:00:19 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 10.x.x.x, SrcPort: 443, DstPort: 64206, TCPFlags: 0x0, EgressInterface: outside, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: Start, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 2785675782, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown
Apr 28 15:00:19 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 65.x.x.x, SrcPort: 63944, DstPort: 443, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: End, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Microsoft, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 383, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://watson.telemetry.microsoft.com
Apr 28 15:00:20 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 64.x.x.x, OriginalClientIP: ::, DstIP: 10.x.x.x, SrcPort: 443, DstPort: 55013, TCPFlags: 0x0, IngressInterface: outside, EgressInterface: inside, IngressZone: Test_Network, EgressZone: Ingress_Zone_Name, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: Start, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 2785734629, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown
Apr 28 15:00:35 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 216.x.x.x, SrcPort: 53401, DstPort: 9090, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: End, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 66, ResponderBytes: 54, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown
Apr 28 15:00:35 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 216.x.x.x, SrcPort: 55020, DstPort: 9090, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: End, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 66, ResponderBytes: 54, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown
Apr 28 15:00:35 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 216.x.x.x, SrcPort: 53401, DstPort: 9090, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: End, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 66, ResponderBytes: 54, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown
Apr 28 15:00:39 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 131.x.x.x, SrcPort: 63947, DstPort: 443, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: Start, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: MS Online, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 367, ResponderBytes: 58, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://login.live.com
Apr 28 15:00:45 NGFW_Device_Name SFIMS: Protocol: TCP, SrcIP: 10.x.x.x, OriginalClientIP: ::, DstIP: 157.x.x.x, SrcPort: 63948, DstPort: 443, TCPFlags: 0x0, IngressInterface: inside, EgressInterface: outside, IngressZone: Ingress_Zone_Name, EgressZone: Test_Network, DE: Primary Detection Engine (86124d60-1ba1-11e7-9e01-b2eadccd788c), Policy: NGFW-Access-Policy, ConnectType: Start, AccessControlRuleName: Default Action, AccessControlRuleAction: Block, UserName: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Microsoft Update, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 377, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown, URL: https://sls.update.microsoft.com
0 Karma
Highlighted

Re: Will the Splunk Add-on for Cisco ASA apply for parsing the new log format (NGFW)?

Contributor

You will need to download and install the Splunk Add-on for Cisco FireSIGHT. It has the parsing support for the Cisco Next-Generation Firewall (NGFW) logs.

View solution in original post

Highlighted

Re: Will the Splunk Add-on for Cisco ASA apply for parsing the new log format (NGFW)?

Path Finder

I will install the app later this week and will report back. Thanks for the info.

0 Karma
Highlighted

Re: Will the Splunk Add-on for Cisco ASA apply for parsing the new log format (NGFW)?

Path Finder

Worked great... Just needed to add TZ=UTC to the props.conf to normalize the time.

0 Karma