Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Secure Firewall Dashboard

MikeMakai
Engager
‎01-08-2025 03:41 PM

I am sending syslog data to Splunk from Cisco FMC. I am using UCAPL compliance and therefore cannot use eStreamer. The data is being ingested into Splunk and the dashboard is showing some basic events, like connection events, volume file events and malware events. When I try to learn more about these events it doesn't drill down into more info. For example, when I click on the 14 Malware Events and chose open in search it just shows the number of events. There is no information regarding these events. When I click on inspect, it shows command.tstats at13 and  command.tstats.execute_output at 1. It doesn't provide further clarity regarding the malware events. When I view the Malware files dashboard on the FMC, is shows no data for malware threats. So based on the FMC it seems that the data in the Splunk dashboard is incorrect or at least interpreting malware events differently from the FMC dashboard. 

Labels (1)
Labels
0 Karma
Reply

kiran_panchavat
Influencer
‎01-09-2025 09:39 PM

@MikeMakai  Hi Mike,I recently integrated an FTD appliance with Splunk. Previously, the customer was using a Cisco ASA, and last week they upgraded to FTD. We didn’t make any changes to the Splunk setup and are still using the Cisco ASA add-on. Interestingly, the logs are being parsed correctly. Have you tried using the Cisco ASA add-on? Additionally, when you run a TCP dump on the destination side (Splunk), how are the logs appearing from the FTD device? Are they coming through as expected? It seems the cisco:ftd:syslog sourcetype isn’t parsing them properly. I’ve attached a screenshot for your reference.

I hope this helps. if any reply helps you, you could add your upvote/karma points to that reply.

kiran_panchavat_0-1736487544389.jpeg

kiran_panchavat_1-1736487558276.jpeg

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply

kiran_panchavat
Influencer
‎01-08-2025 11:56 PM

@MikeMakai

Please run `tcpdump` to verify if the expected logs are being received. If the expected output is observed, we can proceed to check from the Splunk side.

If this reply helps you, Karma would be appreciated.

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

MikeMakai
Engager
‎01-15-2025 11:10 AM

I'm running Splunk on Windows and don't have the tcpdump command.

0 Karma
Reply

kiran_panchavat
Influencer
‎01-15-2025 10:45 PM

@MikeMakai I think you can use WinDump/Wireshark. You can take help from your network team. 

https://wiki.wireshark.org/WinDump 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

kiran_panchavat
Influencer
‎01-08-2025 11:54 PM

@MikeMakai

Could you share your `inputs.conf` file? Are you sending data directly from the FMC to Splunk, or is there an intermediate forwarder between your FMC and Splunk?

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

MikeMakai
Engager
‎01-09-2025 10:16 AM

Hi Kiran,

I'm sending syslog directly from the FTD devices.

Here is the config file.

[tcp://192.168.1.2:1470]
connection_host = dns
index = cisco_sfw_ftd_syslog
sourcetype = cisco:ftd:syslog

[sbg_sfw_syslog_input://FTD_Pier]
event_types = *,syslog_intrusion,syslog_connection,syslog_file,syslog_file_malware
index = cisco_sfw_ftd_syslog
interval = 600
port = 1470
restrictToHost = 192.168.1.2
sourcetype = cisco:ftd:syslog
type = tcp

[tcp://192.168.200.2:1470]
connection_host = dns
index = cisco_sfw_ftd_syslog
sourcetype = cisco:ftd:syslog

[sbg_sfw_syslog_input://FTD_Kona]
event_types = *,syslog_intrusion,syslog_connection,syslog_file,syslog_file_malware
index = cisco_sfw_ftd_syslog
interval = 600
port = 1470
restrictToHost = 192.168.200.2
sourcetype = cisco:ftd:syslog
type = tcp

Thanks,

Mike 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
Top