The add-on is installed correctly and functioning.
Data Input is defined as:
UDP/514, Source Type: cisco_asa, Index: firewall
I'm getting data, events # increments in the Cisco Splunk App, but Event Types is empty.
Syslog on the ASA is setup to do Informational.
Raw events in Splunk look like:
8/20/12 9:13:33.000 AM Aug 20 09:13:33 10.11.121.2 %ASA-4-106023: Deny udp src inside:10.1.5.219/54057 dst outside:X.X.127.74/8102 by access-group "inside_access_in" [0x0, 0x0]host=10.11.121.2 Options| sourcetype=syslog Options| source=udp:514 Options
Source Type column under Data Inputs is confirmed as 'cisco_asa', sourcetype in log itself says 'syslog' not sure if that has anything to do with it.
This time I tried the Cisco for Firewalls App and the Cisco Security Suite app.
STILL no events showing even thought it is definitely logging:
This search has completed and found 7,504 matching events. However, the transforming commands in the highlighted portion of the following search:
search eventtype="cisco_firewall" | bin _time span=5m | search eventtype="cisco_firewall" | stats count by eventtype, src_ip, dest_ip, host,log_level_desc,event_desc, _time
over the time range: 8/20/12 5:27:16.000 PM – 8/21/12 5:27:16.000 AM
generated no results.
Again lots of raw events in the log with the correct source_type:
5:29:44.000 AM Aug 21 05:29:44 10.11.121.2 %ASA-6-302020: Built outbound ICMP connection for faddr x.x.81.124/0 gaddr x.x.247.193/28571 laddr 10.1.5.62/28571host=splunk Options| sourcetype=udp:514 Options| source=udp:514 Options
2 » 8/21/12
5:29:44.000 AM Aug 21 05:29:44 10.11.121.2 %ASA-6-305011: Built dynamic ICMP translation from any:10.1.5.62/28571 to outside:x.x.247.193/28571host=splunk Options| sourcetype=udp:514 Options| source=udp:514 Options
3 » 8/21/12
5:29:44.000 AM Aug 21 05:29:44 10.11.121.2 %ASA-6-305012: Teardown dynamic UDP translation from any:10.1.1.65/50482 to outside:x.x.247.193/50482 duration 0:00:30host=splunk Options| sourcetype=udp:514 Options| source=udp:514 Options
4 » 8/21/12
5:29:44.000 AM Aug 21 05:29:44 10.11.121.2 %ASA-6-305012: Teardown dynamic ICMP translation from any:10.1.5.62/61987 to outside:x.x.247.193/61987 duration 0:00:32
Splunk: 4.3.3 b128297
ASA: 8.4(4)
Definitely agree that fields are not getting extracted. But I just don't know how to figure out why? I have a brand new ASA so I'm wondering if there wasn't a change in the output?
That's why I included the raw output so maybe someone could compare to an older ASA version. Where would I go to see 'eventtype'/xxx_ip being populated?
In the Cisco Security App, I do a "search Cisco Firewall Recent Events" and it says 'eventtype=cisco_firewall' and then gives me 1000's of raw events. But the dashboard shows nothing - the events aren't being interpreted correctly.
Looks like your fields are not getting extracted properly. When you do just a regular 'raw' search, do you see fields like eventtype, src_ip, dest_ip etc being populated?