Getting Data In

Cisco ASA logging format change

mamborn
Explorer

It looks like with 8.3 of Cisco ASA software the logging format has changed some.
Old Version:
Mar 15 13:39:13 192.168.1.1 %ASA-6-302015: Built inbound UDP connection 80311398 for External:192.168.2.29/64493 (192.168.2.29/64493) to Internal:192.168.100.1/53 (192.168.100.1/53) (RobinM)

New Format
Mar 15 13:39:15 192.168.100.100 :%ASA-session-6-302021: Teardown ICMP connection for faddr 172.16.49.19/768 gaddr 192.168.162.2/0 laddr 192.168.162.2/0

The ":%ASA-session" is what has changed. Is there a easy way to fix/modify the inputs. The pre-canned reports don't find the new log entries, and the field extractions are not correct. You can still search manually through splunk though.

amalamalpm
New Member

Try the following command

   no logging emblem

Actually there is no change in format.
Please reply to this, if it is correct or not.

0 Karma

stevechege
New Member

Thanks, this helped a lot. I had two instances of Spunk and the transforms.conf fixed formatting issue. Without the fix, it was hard to search for source/destination ports and source/destination IPs.

Older version.(After upgrade to version 6.0)

nano /opt/splunk/etc/apps/Splunk_CiscoFirewalls/local/transforms.conf

Newer version.

nano /opt/splunk/etc/apps/Splunk_for_CiscoASA/local/transforms.conf

0 Karma

moorebj
New Member

This worked, I had upgraded to 5.0 in Jan and did not notice by cisco_asa source type was missing until I ran an old report today. I put in the transform and restarted and all is well.

0 Karma

tmeader
Contributor

I found the problem. The issue isn't the colon in front of the %ASA, it's that the hyphen after it isn't followed by a number anymore. Here's the built-in transform:

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = %ASA-\d+-\d+
FORMAT = sourcetype::cisco_asa

Note "%ASA-\d+-\d+". Your old data HAD %ASA-[numbers]-[numbers], whereas your new format has characters, not numerals, instead.

Under /Splunk_Home/etc/apps/[Cisco_app]/local/, create a file called "transforms.conf" and add in the following:

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = %ASA-\w+-\w+
FORMAT = sourcetype::cisco_asa

Save that and then restart Splunk. That should take care of it. Let me know if that works for you or not.

kefoster
Engager

This got me up and running!

0 Karma

cvajs
Contributor

ah, good find.

0 Karma

mamborn
Explorer

they are not coming in as sourcetype cisco_asa, and the field extractions are not showing.

0 Karma

cvajs
Contributor

the events dont come in as a source type, they get matched as a source type.

0 Karma

cvajs
Contributor

i am a newb with splunk, but cant you
use SED in props.conf to replace ":%ASA-session" with "%ASA"

[source::your-crisco-source]
SEDCMD-fix = s/:%ASA-session/%ASA/g

0 Karma

cvajs
Contributor

this forum is a pita because it takes a single \ as a special char, so you need to escape them.

%ASA-\w+-\d+-\d+ or even %ASA-S+:

because these will limit the cisco fw match to just the new version syntax vs using a match that matches new and old.

use %ASA-(\w+-)?[67]-\d+

i suggested SED to convert the new syntax back to the old so everything works as is since everything was originally coded for the old ASA syntax, etc.

0 Karma

kenth
Splunk Employee
Splunk Employee

Why replace it when you can just match it with;

%ASA-\w+-\d+-\d+ or even %ASA-\S+:

I haven't tried the latter one though.

0 Karma

mamborn
Explorer

I have two ASA firewalls logging to the splunk server. The older version 8.0.3 logs correctly and the sourcetype gets set to cisco_asa.

The newer version 8.4.2 the sourcetype gets set to udp:514.

I modified the eventtypes and that didn't seem to change it either.

[root@linux2 local]# more eventtypes.conf
[cisco_firewall]
search = %ASA OR %PIX OR %FWSM OR :%ASA

So the reports etc that are pre-canned don't find the data.

0 Karma

tmeader
Contributor

So you're saying that, even with just a regular search in Splunk (not a canned report from the Cisco Apps) for data from these hosts, even though they are still showing up as sourcetype of cisco_asa, the fields are no longer being extracted properly?

0 Karma

tmeader
Contributor

Were they coming in previously as "sourcetype=cisco_asa" and working properly? Looking at the default props.conf and transforms.conf in the Cisco for Firewalls addon, there's nothing in there that that ":" should've messed up at all.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...