Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Secure Firewall Dashboard

MikeMakai
Engager
‎01-08-2025 03:41 PM

I am sending syslog data to Splunk from Cisco FMC. I am using UCAPL compliance and therefore cannot use eStreamer. The data is being ingested into Splunk and the dashboard is showing some basic events, like connection events, volume file events and malware events. When I try to learn more about these events it doesn't drill down into more info. For example, when I click on the 14 Malware Events and chose open in search it just shows the number of events. There is no information regarding these events. When I click on inspect, it shows command.tstats at13 and  command.tstats.execute_output at 1. It doesn't provide further clarity regarding the malware events. When I view the Malware files dashboard on the FMC, is shows no data for malware threats. So based on the FMC it seems that the data in the Splunk dashboard is incorrect or at least interpreting malware events differently from the FMC dashboard. 

Labels (1)
Labels
0 Karma
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎01-09-2025 09:39 PM

@MikeMakai  Hi Mike,I recently integrated an FTD appliance with Splunk. Previously, the customer was using a Cisco ASA, and last week they upgraded to FTD. We didn’t make any changes to the Splunk setup and are still using the Cisco ASA add-on. Interestingly, the logs are being parsed correctly. Have you tried using the Cisco ASA add-on? Additionally, when you run a TCP dump on the destination side (Splunk), how are the logs appearing from the FTD device? Are they coming through as expected? It seems the cisco:ftd:syslog sourcetype isn’t parsing them properly. I’ve attached a screenshot for your reference.

I hope this helps. if any reply helps you, you could add your upvote/karma points to that reply.

kiran_panchavat_0-1736487544389.jpeg

kiran_panchavat_1-1736487558276.jpeg

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎01-08-2025 11:56 PM

@MikeMakai

Please run `tcpdump` to verify if the expected logs are being received. If the expected output is observed, we can proceed to check from the Splunk side.

If this reply helps you, Karma would be appreciated.

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

MikeMakai
Engager
‎01-15-2025 11:10 AM

I'm running Splunk on Windows and don't have the tcpdump command.

0 Karma
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎01-15-2025 10:45 PM

@MikeMakai I think you can use WinDump/Wireshark. You can take help from your network team. 

https://wiki.wireshark.org/WinDump 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎01-08-2025 11:54 PM

@MikeMakai

Could you share your `inputs.conf` file? Are you sending data directly from the FMC to Splunk, or is there an intermediate forwarder between your FMC and Splunk?

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

MikeMakai
Engager
‎01-09-2025 10:16 AM

Hi Kiran,

I'm sending syslog directly from the FTD devices.

Here is the config file.

[tcp://192.168.1.2:1470]
connection_host = dns
index = cisco_sfw_ftd_syslog
sourcetype = cisco:ftd:syslog

[sbg_sfw_syslog_input://FTD_Pier]
event_types = *,syslog_intrusion,syslog_connection,syslog_file,syslog_file_malware
index = cisco_sfw_ftd_syslog
interval = 600
port = 1470
restrictToHost = 192.168.1.2
sourcetype = cisco:ftd:syslog
type = tcp

[tcp://192.168.200.2:1470]
connection_host = dns
index = cisco_sfw_ftd_syslog
sourcetype = cisco:ftd:syslog

[sbg_sfw_syslog_input://FTD_Kona]
event_types = *,syslog_intrusion,syslog_connection,syslog_file,syslog_file_malware
index = cisco_sfw_ftd_syslog
interval = 600
port = 1470
restrictToHost = 192.168.200.2
sourcetype = cisco:ftd:syslog
type = tcp

Thanks,

Mike 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...