Getting Data In

Cisco ASA - splunk not recognizing individual hosts from logs

ceisecurity
New Member

Here is my log snippet:

Jul 15 2013 13:14:14 **** : %ASA-6-302013: Built outbound TCP connection 248531691 for outside:205.251.242.188/80 (205.251.242.188/80) to inside:10.176.75.16/20060 (172.20.1.7/49265)

My question is, is how to I get splunk to recognize the true source and destination (hosts)? Right now, it only sees the firewall as the host.

I have a few Cisco apps install but none seem to give me what I need.

Thanks in advance

Tags (4)
0 Karma
1 Solution

srioux
Communicator

The true source for those logs is the firewall itself - that'd likely be what's sending in the syslog entries. If you want the Source IP / Destination IP from the data, you can use the packaged Cisco App field extractions, or build your own.

Example:

%ASA-6-302013:.*?for\s(?<SourceInterface>.*?):(?<SourceIp>\d+\.\d+\.\d+\.\d+)/(?<SourcePort>\d+)\s.*?to\s(?<DestinationInterface>.*?):(?<DestinationIp>\d+\.\d+\.\d+\.\d+)/(?<DestinationPort>\d+)

View solution in original post

0 Karma

srioux
Communicator

The true source for those logs is the firewall itself - that'd likely be what's sending in the syslog entries. If you want the Source IP / Destination IP from the data, you can use the packaged Cisco App field extractions, or build your own.

Example:

%ASA-6-302013:.*?for\s(?<SourceInterface>.*?):(?<SourceIp>\d+\.\d+\.\d+\.\d+)/(?<SourcePort>\d+)\s.*?to\s(?<DestinationInterface>.*?):(?<DestinationIp>\d+\.\d+\.\d+\.\d+)/(?<DestinationPort>\d+)
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...