All Apps and Add-ons

Missing Cisco ASA event types

marksnelling
Communicator

I've installed the Splunk for Cisco ASA app and the Cisco ASA Technology Add-On and am not getting anything showing up in the dashboard.
My Splunk instance is definitely collecting the firewall syslog data and the sourcetype cisco:asa is being applied but it doesn't look like the event types are being mapped.
Here's an example of some of the firewall logs:

Sep 10 13:38:59 a.b.c.d %ASA-4-106023: Deny tcp src Outside:x.x.x.x/y dst DMZ:x.x.x.x/y by access-group "Outside_access_in_1" [0x0, 0x0]
Sep 10 13:38:59 a.b.c.d %ASA-4-106023: Deny tcp src Outside:x.x.x.x/y dst Inside:x.x.x.x/y by access-group "Outside_access_in_1" [0x0, 0x0]
Sep 10 13:38:59 a.b.c.d %ASA-4-106023: Deny tcp src Outside:x.x.x.x/y dst Inside:x.x.x.x/y by access-group "Outside_access_in_1" [0x0, 0x0]
Sep 10 13:38:59 a.b.c.d %ASA-3-710003: TCP access denied by ACL from x.x.x.x/y to Outside:x.x.x.x/y
Tags (1)
0 Karma
1 Solution

kenth
Splunk Employee
Splunk Employee

Your setup of the app seems correct although your setup of the ASA does not. You need to enable "per access-list logging" which you do per rule. Set it to the level you output to syslog. Information if you want the build/teardowns, notifications if not.

Your log messages should now look like this:

"access-list ACL-outside permitted tcp outside/10.1.1.1(40599) -> inside/172.16.1.2(80) "

I'll consider adding the old log format to the TA later today.

View solution in original post

0 Karma

kenth
Splunk Employee
Splunk Employee

Your setup of the app seems correct although your setup of the ASA does not. You need to enable "per access-list logging" which you do per rule. Set it to the level you output to syslog. Information if you want the build/teardowns, notifications if not.

Your log messages should now look like this:

"access-list ACL-outside permitted tcp outside/10.1.1.1(40599) -> inside/172.16.1.2(80) "

I'll consider adding the old log format to the TA later today.

0 Karma

skytrain
Engager

Same problem here Kent, our ASA logs successfully to an index called 'firewall' and the log looks like this:

Oct 18 10:53:40 xxx.xxx.xxx.xxx %ASA-5-106100: access-list outside_access_out permitted udp inside/outside-if(46624) -> outside/xxx.xxx.xxx.xxx(53) hit-cnt 1 first hit

and yet the app's reporting 0 events.

Also, having the application understand the old format would also be very nice, but more importantly, a slightly more detailed documentation is necessary. Nowhere it said one should have a separate index called 'firewall' and we had to find it out by searching issues on this site.

kenth
Splunk Employee
Splunk Employee

What are you logging? Probably not what you should.

Does it show up in Splunk at all? If it comes into Splunk but doesnt have the right sourcetypes etc then youve done something wrong during setup.

0 Karma

rmcdonald17
New Member

I have the same issue but have the logging enables and still getting the same issue. anyone fix this?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...