Archive

How to send Cisco ASA Firewall logs to syslog-ng server and push it out to the indexer with universal forwarder

Explorer

Hi Guys,

I've been trying to send Cisco ASA firewall logs to syslog-ng server where the forwarder is installed but I just can't get it working.

I've setup a forwarder and installed syslog-ng in Ubuntu VM.

I have tried to follow the instructions on this link and also from other various sources but I'm stressful enough to say that I just can't get it working.

https://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk/

I really need some clear detailed step by step instructions on how to configure Cisco ASA to store syslogs into the syslog-ng server and forward the data to indexer.

I'm not sure if I configured syslog-ng server properly in Ubuntu. I used following tutorial but no success.

https://www.youtube.com/watch?v=glvsJJFbzZc&feature=em-share_video_user

Could you check if everything looks ok below and advise the next step from here?

My goal is to send Cisco ASA Firewall logs to syslog-ng server and push it out to the indexer with universal forwarder so that I'm able to see all the cisco asa logs from the search.

My setup is as below: All servers have been built with Ubuntu in VM.

Indexer: 10.10.50.11
Forwarder: 10.10.50.12 (Installed syslog-ng here)

I can ping and SSH between Indexer and forwarder.

Configured universal forwarder to send data to the receiving indexer.
root@forwarder:/opt/splunkforwarder/bin# ./splunk add forward-server 10.10.50.11:9997 -auth admin:seeshock
 root@forwarder:/opt/splunkforwarder/bin# ./splunk list forward-server
Active forwards:
None
Configured but inactive forwards:
10.10.50.11:9997

Configure deployment client
root@forwarder:/opt/splunkforwarder/bin# ./splunk show deploy-poll
Deployment Server URI is set to "10.10.50.12:8089".

root@indexer:/opt/splunk/bin# ./splunk status
splunkd is running (PID: 3109).
splunk helpers are running (PIDs: 3110 3118 3183 3200).
 

root@indexer:/opt/splunk/bin# ./splunk btool inputs list splunktcp --debug | grep -v default
/opt/splunk/etc/system/local/inputs.conf host = indexer
/opt/splunk/etc/apps/launcher/local/inputs.conf [splunktcp://9997]
/opt/splunk/etc/apps/launcher/local/inputs.conf connection_host = ip
/opt/splunk/etc/system/local/inputs.conf host = indexer
 

root@indexer:/opt/splunk/bin# ./splunk list inputstatus
tcp_cooked:listenerports :
9997
 
 
 
 
index=internal host="indexer"
 
Time Event

4/2/17 10.10.50.11 - admin [02/Apr/2017:20:47:25.825 +1000] "GET /en-US/splunkd/
raw/services/search/shelper?output_mode=json&snippet=true&snippetEmbedJS=false&namespace=search&search=search+index%3D_internal+host%3D&useTypeahead=true&useAssistant=false&showCommandHelp=true&showCommandHistory=true&showFieldInfo=false&=1491126297345 HTTP/1.1" 200 5141 "http://10.10.50.11:8000/en-US/app/search/search?q=search%20index%3D_internal%20host%3Dforwarder&disp..." "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0" - b44fb5fd27b3677a2443d6de473370fe 8ms
8:47:25.825 PM · host = indexer
· source = /opt/splunk/var/log/splunk/splunkd_ui_access.log
· sourcetype = splunkd_ui_access
4/2/17 10.10.50.11 - admin [02/Apr/2017:20:47:25.681 +1000] "GET /en-US/splunkd/_raw/services/search/shelper?output_mode=json&snippet=true&snippetEmbedJS=false&namespace=search&search=search+index%3D_internal+host%3Df&useTypeahead=true&useAssistant=false&showCommandHelp=true&showCommandHistory=true&showFieldInfo=false&=1491126297344 HTTP/1.1" 200 5109 "http://10.10.50.11:8000/en-US/app/search/search?q=search%20index%3D_internal%20host%3Dforwarder&disp..." "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0" - b44fb5fd27b3677a2443d6de473370fe 40ms
8:47:25.681 PM · host = indexer
· source = /opt/splunk/var/log/splunk/splunkd_ui_access.log
· sourcetype = splunkd_ui_access

 

index=_internal host="forwarder"
 
4/3/17 04-03-2017 14:15:24.393 +1000 INFO DC:PhonehomeThread - Attempted handshake 260 times. Will try to re-subscribe to handshake reply

2:15:24.393 PM · host = forwarder
· source = /opt/splunkforwarder/var/log/splunk/splunkd.log
· sourcetype = splunkd
4/3/17 04-03-2017 14:15:24.393 +1000 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
2:15:24.393 PM · host = forwarder
· source = /opt/splunkforwarder/var/log/splunk/splunkd.log
· sourcetype = splunkd
4/3/17 04-03-2017 14:15:16.083 +1000 INFO Metrics - group=thruput, name=uncooked_output, instantaneous_kbps=0.000000, instantaneous_eps=0.000000, average_kbps=0.000000, total_k_processed=0.000000, kb=0.000000, ev=0.000000
2:15:16.083 PM · host = forwarder
· source = /opt/splunkforwarder/var/log/splunk/metrics.log
· sourcetype = splunkd

 
 

 
 
root@indexer:/etc/syslog-ng# netstat -an | grep 9997
tcp 0 0 0.0.0.0:9997 0.0.0.0:* LISTEN
tcp 0 0 10.10.50.11:9997 10.10.50.12:53380 ESTABLISHED
 
 

 
root@indexer:/opt/splunk/etc/system/local# mkdir firewall_asa

root@indexer:/opt/splunk/etc/system/local# cd firewall_asa

root@indexer:/opt/splunk/etc/system/local/firewall_asa# cd

root@indexer:~# cd /opt/splunk/bin

root@indexer:/opt/splunk/bin# ./splunk add udp 514 -sourcetype cisco:asa
Listening for UDP input on port 514.
 

root@forwarder:/opt/splunkforwarder/bin# ./splunk show deploy-poll
Deployment Server URI is set to "10.10.50.12:8089".

root@forwarder:/opt/splunkforwarder/bin# ./splunk list forward-server
Active forwards:
10.10.50.11:9997
Configured but inactive forwards:
None

root@forwarder:/opt/splunkforwarder/bin# ./splunk show servername
Server name: forwarder

root@forwarder:/opt/splunkforwarder/bin# ./splunk show default-hostname
Default hostname for data inputs: forwarder.

root@forwarder:/opt/splunkforwarder/bin# ./splunk show servername
Server name: forwarder

root@forwarder:/opt/splunkforwarder/bin# ./splunk show default-hostname
Default hostname for data inputs: forwarder.

root@forwarder:/opt/splunkforwarder/bin# ./splunk add forward-server 10.10.50.11:9997 -auth admin:seeshock
Added forwarding to: 10.10.50.11:9997.
 
root@forwarder:/opt/splunkforwarder/bin# ./splunk list forward-server
Active forwards:
None
Configured but inactive forwards:
10.10.50.11:9997
 
 
 

Tags (1)
0 Karma
1 Solution

Motivator

Hi there,

Am I wrong or you just create the UDP input on your indexer rather than the Forwarder ?

"root@indexer:/opt/splunk/bin# ./splunk add udp 514 -sourcetype cisco:asa
Listening for UDP input on port 514."

This are the basic steps to do what you need, assuming that you have firewall rules/port opened already.

  1. Enable listen on port 9997 on the Indexer to recieve incoming data from the UF.

    ./splunk enable listen 9997 -auth username:password
    
  2. Configure your forwarder to send data to the indexer.

    ./splunk add forward-server <IP OR DNS>:9997
    
  3. Create the UDP input on your UF to listen that syslog.

    ./splunk add udp 514 -sourcetype cisco:asa
    

    Hope it helps.

View solution in original post

0 Karma

Communicator

Is this still an issue?

0 Karma

Explorer

Yep, I'm just back on it now. Additionally, pls see my response to alemarzu below. I've mistakenly configured UDP 514 on the indexer rather than the forwarder earlier which could have been causing some problems but it has been fixed now as I reconfigured it on the forwarder and removed it from the indexer.

0 Karma

Path Finder

One solution to this would be to on the syslog-ng server utilize buckets.d and patterdb.d in order to write the cisco ASA logs to a directory and then from there, you can use a UF to monitor that directory and forward directly to the indexers.

0 Karma

Explorer

I'm too noob to undestand that but please see my further outputs below in response to nychawk.

What do you think?

0 Karma