Getting Data In

Best practice when it comes to managing multiple firewall logs

willspk
Loves-to-Learn Lots

Hey all,

I'm looking for some advice.

We currently have multiple ASAs which are sending logs to rsyslog. The logs are stored in folders based on the hostname. I currently have the universal forwarder monitoring the parent folder.

When it comes to using Splunk addons such as "Firegen Log Analyzer for Cisco ASA". It's asking to specify an index.

Do I need to compile all the logs from the ASAs into a single directory and then create an index for it?

Both rsyslog and splunk on are linux (ubuntu) hosts.

Any help would be appreciated.

Thanks,

Will

 

 

 

Labels (1)
0 Karma

pvarelab
Explorer

If you have several indexes you maybe can try setting this as:

[cisco_asa_index]
definition = (index="fw_index_1" OR index="fw_index_2" OR index="fw_index_3")
iseval = 0
0 Karma

willspk
Loves-to-Learn Lots

I have noticed that it's flagging logs from the ASAs with a sourcetype of %ASA-too_small.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Usually this means that you haven’t define sourcetype on inputs.conf and there was too few lines that splunk v can automatically recognize it. See https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Small_file_settings

0 Karma

PickleRick
Ultra Champion

Typically you split data to multiple indexes if:

1) You need different retention periods for your data

or

2) You need different permissions

There might be some other factors like "don't mix frequent data with rare one for performance reasons" but it's for more advanced setups.

So in general you should have as few indexes as possible and distinguish different sets of data by source/sourcetype/host fields.

0 Karma

willspk
Loves-to-Learn Lots

Hey Pickle,

So I've got a universal forwarder that monitors a directory, inside this directory each host that's sending syslogs has it's own directory. For example:

- Parent Directory

-- ASA1

-- ASA2

-- ASA3

All of this is going to the main index in Splunk.

This particular addon I'm using using is asking to specify the index. It has a prefilled example of index="cisco_asa". When I input "main", it doesn't like it.

What am I missing here?

Thanks,

Will

0 Karma

PickleRick
Ultra Champion

I don't know that add-on so I can't help you much with its workings but as a general note - it's good _not_ to use the main index. Just let it be there and sit, possibly as a last-resort, for all the stray events you forgot to route elsewhere but have the events conciously put into destination index(es).

BTW, there are some apps which are written relatively well and some that are written a bit worse. Properly written apps should be easily configurable, possibly by setting one or two macros or defining a tag or eventtype. With a poorly written apps there are some hardcoded things (like source index names for searches) and you need sometimes much work to customize it to your data layout. I'm not sure which one is your case.

0 Karma

m_pham
Splunk Employee
Splunk Employee

I'm going to assume you're talking about this TA here: https://splunkbase.splunk.com/app/3800/

I haven't used the TA yet, but it is asking you to specify an index so it can configure the macro below to configure the index where you are storing the firewall logs. So all you need to do is provide the index name - I'm assuming you're using the TA on a search head. The dashboards in this TA needs to know where you are storing the data for it to work properly.

"default/macros.conf"

[cisco_asa_index]
definition = index="cisco_asa"
iseval = 0

 

0 Karma

willspk
Loves-to-Learn Lots

Everything is currently going into main, but when I give it the value of main it won't take it. Not sure if I'm being very stupid here or what.

0 Karma

m_pham
Splunk Employee
Splunk Employee

What Splunk version are you running? The TA you're referencing only supports Splunk v7.0 - v7.2 by the way.

 

You can also try adding in a "local/macros.conf" into the base TA with the following to see if that works:

[cisco_asa_index]
definition = index="main"
iseval = 0

 

0 Karma
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...