Archive

Can I process ASA Built and Teardown as a single event ?

mikesr
Explorer

Hi,

can anyone please answere if it is possible to process ASA Built and Teardown messages of the single connection as a single event.
ASA generates Built message when TCP/UDP connection established over the firewall and Terdown message when closing the connection. Unfortunately some data are missing in each type of message.
(e.g. dirction is just in Built or duration is just in Teardown).
What I what to do is process both messages for each connection as the single merdged "connection" event so that I can make a select or a graf using "connection" events instead of single Built or Teardown events.

Thanx in advance.
Roman

0 Karma
1 Solution

jcoates_splunk
Splunk Employee
Splunk Employee

You can use a transaction command to do this if there is a matching and unique element in both events. For this specific data type you need a transaction ID, addresses and ports won't be unique enough (unless maybe if you evaluate them into a single field?)

View solution in original post

jcoates_splunk
Splunk Employee
Splunk Employee

You can use a transaction command to do this if there is a matching and unique element in both events. For this specific data type you need a transaction ID, addresses and ports won't be unique enough (unless maybe if you evaluate them into a single field?)

View solution in original post

mikesr
Explorer

Transaction command works very well.

Thanks for the hint.

0 Karma

lukejadamec
Super Champion

I'm pretty sure you can use transaction for that. Can you post a build and teardown event for a connection?

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!