Archive

Missing Cisco ASA event types

Communicator

I've installed the Splunk for Cisco ASA app and the Cisco ASA Technology Add-On and am not getting anything showing up in the dashboard.
My Splunk instance is definitely collecting the firewall syslog data and the sourcetype cisco:asa is being applied but it doesn't look like the event types are being mapped.
Here's an example of some of the firewall logs:

Sep 10 13:38:59 a.b.c.d %ASA-4-106023: Deny tcp src Outside:x.x.x.x/y dst DMZ:x.x.x.x/y by access-group "Outside_access_in_1" [0x0, 0x0]
Sep 10 13:38:59 a.b.c.d %ASA-4-106023: Deny tcp src Outside:x.x.x.x/y dst Inside:x.x.x.x/y by access-group "Outside_access_in_1" [0x0, 0x0]
Sep 10 13:38:59 a.b.c.d %ASA-4-106023: Deny tcp src Outside:x.x.x.x/y dst Inside:x.x.x.x/y by access-group "Outside_access_in_1" [0x0, 0x0]
Sep 10 13:38:59 a.b.c.d %ASA-3-710003: TCP access denied by ACL from x.x.x.x/y to Outside:x.x.x.x/y
Tags (1)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

Your setup of the app seems correct although your setup of the ASA does not. You need to enable "per access-list logging" which you do per rule. Set it to the level you output to syslog. Information if you want the build/teardowns, notifications if not.

Your log messages should now look like this:

"access-list ACL-outside permitted tcp outside/10.1.1.1(40599) -> inside/172.16.1.2(80) "

I'll consider adding the old log format to the TA later today.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Your setup of the app seems correct although your setup of the ASA does not. You need to enable "per access-list logging" which you do per rule. Set it to the level you output to syslog. Information if you want the build/teardowns, notifications if not.

Your log messages should now look like this:

"access-list ACL-outside permitted tcp outside/10.1.1.1(40599) -> inside/172.16.1.2(80) "

I'll consider adding the old log format to the TA later today.

View solution in original post

0 Karma

Engager

Same problem here Kent, our ASA logs successfully to an index called 'firewall' and the log looks like this:

Oct 18 10:53:40 xxx.xxx.xxx.xxx %ASA-5-106100: access-list outside_access_out permitted udp inside/outside-if(46624) -> outside/xxx.xxx.xxx.xxx(53) hit-cnt 1 first hit

and yet the app's reporting 0 events.

Also, having the application understand the old format would also be very nice, but more importantly, a slightly more detailed documentation is necessary. Nowhere it said one should have a separate index called 'firewall' and we had to find it out by searching issues on this site.

Splunk Employee
Splunk Employee

What are you logging? Probably not what you should.

Does it show up in Splunk at all? If it comes into Splunk but doesnt have the right sourcetypes etc then youve done something wrong during setup.

0 Karma

New Member

I have the same issue but have the logging enables and still getting the same issue. anyone fix this?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!