Getting Data In

Cisco ASA Addon - No Event Types

Explorer

The add-on is installed correctly and functioning.

Data Input is defined as:

UDP/514, Source Type: cisco_asa, Index: firewall

I'm getting data, events # increments in the Cisco Splunk App, but Event Types is empty.

Syslog on the ASA is setup to do Informational.

Raw events in Splunk look like:

8/20/12 9:13:33.000 AM Aug 20 09:13:33 10.11.121.2 %ASA-4-106023: Deny udp src inside:10.1.5.219/54057 dst outside:X.X.127.74/8102 by access-group "insideaccessin" [0x0, 0x0]host=10.11.121.2 Options| sourcetype=syslog Options| source=udp:514 Options

Source Type column under Data Inputs is confirmed as 'cisco_asa', sourcetype in log itself says 'syslog' not sure if that has anything to do with it.

Tags (1)

Explorer

This time I tried the Cisco for Firewalls App and the Cisco Security Suite app.

STILL no events showing even thought it is definitely logging:

This search has completed and found 7,504 matching events. However, the transforming commands in the highlighted portion of the following search:

search eventtype="ciscofirewall" | bin _time span=5m | search eventtype="ciscofirewall" | stats count by eventtype, srcip, destip, host,logleveldesc,event_desc, _time

over the time range: 8/20/12 5:27:16.000 PM – 8/21/12 5:27:16.000 AM
generated no results.

Again lots of raw events in the log with the correct source_type:

5:29:44.000 AM Aug 21 05:29:44 10.11.121.2 %ASA-6-302020: Built outbound ICMP connection for faddr x.x.81.124/0 gaddr x.x.247.193/28571 laddr 10.1.5.62/28571host=splunk Options| sourcetype=udp:514 Options| source=udp:514 Options
2 » 8/21/12
5:29:44.000 AM Aug 21 05:29:44 10.11.121.2 %ASA-6-305011: Built dynamic ICMP translation from any:10.1.5.62/28571 to outside:x.x.247.193/28571host=splunk Options| sourcetype=udp:514 Options| source=udp:514 Options
3 » 8/21/12
5:29:44.000 AM Aug 21 05:29:44 10.11.121.2 %ASA-6-305012: Teardown dynamic UDP translation from any:10.1.1.65/50482 to outside:x.x.247.193/50482 duration 0:00:30host=splunk Options| sourcetype=udp:514 Options| source=udp:514 Options
4 » 8/21/12
5:29:44.000 AM Aug 21 05:29:44 10.11.121.2 %ASA-6-305012: Teardown dynamic ICMP translation from any:10.1.5.62/61987 to outside:x.x.247.193/61987 duration 0:00:32

Splunk: 4.3.3 b128297
ASA: 8.4(4)

0 Karma

Explorer

Definitely agree that fields are not getting extracted. But I just don't know how to figure out why? I have a brand new ASA so I'm wondering if there wasn't a change in the output?

That's why I included the raw output so maybe someone could compare to an older ASA version. Where would I go to see 'eventtype'/xxx_ip being populated?

In the Cisco Security App, I do a "search Cisco Firewall Recent Events" and it says 'eventtype=cisco_firewall' and then gives me 1000's of raw events. But the dashboard shows nothing - the events aren't being interpreted correctly.

0 Karma

Legend

Looks like your fields are not getting extracted properly. When you do just a regular 'raw' search, do you see fields like eventtype, srcip, destip etc being populated?

0 Karma