Getting Data In

Cisco Firewalls Add-on host recognition problem

Narj
Path Finder

Hi all,

I've got the Cisco Firewall Addon (latest version with Security Suite) in and working, however I notice that it isn't recognising the host name properly; all events are showing as being from the box that my light forwarder is on. (host=myforwarderboxname)

It looks like this stanza in the transforms.conf will be the issue

[cisco_firewall_hostoverride]
DEST_KEY = MetaData:Host
REGEX = \S+\t\S+\s(.*)\t+
FORMAT = host::$1

However, I tried changing the regex to \s\d+:\d+:\d+\s(.*)\s\% (works on a field extraction) and restarting but this didn't work.

View source from splunk shows:

Sep 18 13:10:02 myfirewall %ASA-6-302014: Teardown TCP connection 54647599 for outside....

Is anyone else doing the same thing, and if so, how did you fix it? 🙂

Thanks!

EDIT:

Right, after some brain-ache, I found that I can fix this by editing:

/opt/splunk/etc/apps/Splunk_CiscoFirewalls/default/props.conf

And appending syslog-host on the end of the first transforms line, eg:

[source::...cisco]

TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_pix, force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_fwsm, force_sourcetype_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catchall, syslog-host

There must be a foolproof way of doing this... I know that if I upgrade the app, then this will probably get wiped out.

Do I need to add a one-liner in the local folder in a new props.conf?

ie: TRANSFORMS-syslog-host

Tags (4)
0 Karma
1 Solution

emotz
Splunk Employee
Splunk Employee

Why not put the props entry in
/opt/splunk/etc/apps/Splunk_CiscoFirewalls/local/props.conf so it isn't overwritten after upgrade.

[source::...cisco]
TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_pix, force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_fwsm, force_sourcetype_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catchall, syslog-host

You can always remove the ones you don't want it to call as well.

View solution in original post

0 Karma

emotz
Splunk Employee
Splunk Employee

Why not put the props entry in
/opt/splunk/etc/apps/Splunk_CiscoFirewalls/local/props.conf so it isn't overwritten after upgrade.

[source::...cisco]
TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_pix, force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_fwsm, force_sourcetype_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catchall, syslog-host

You can always remove the ones you don't want it to call as well.

0 Karma

Narj
Path Finder

Many thanks! Much appreciated. 🙂

0 Karma

emotz
Splunk Employee
Splunk Employee

Yes - local always overrides default.
Yes you can put in a blank stanza if needed
Docs explain who wins here ->
http://docs.splunk.com/Documentation/Splunk/5.0.4/admin/Wheretofindtheconfigurationfiles

0 Karma

Narj
Path Finder

Thanks, that sounds like it'll work better! If there is a duplicate entry in the local folder, I take it that overrides the default one?

How do I effectively "remove" an entire stanza in the "local" version of the file by the way? just add a blank stanza by the same name or something?

0 Karma

Narj
Path Finder

Just noticed that this ASA app has a catch all transform for cisco, which could be problematic!

[force_sourcetype_for_cisco_catchall]
DEST_KEY = MetaData:Sourcetype
REGEX = :\s\%((SNMP|CDP|FAN|LINE|LINEPROTO|RTD|SYS|C\d+_[^-]+)-\d+-\S+)
FORMAT = sourcetype::cisco

That's not really an exhaustive list so you can end up with split sourcetype for cisco kit... I've commented that out for now, but as above... if there's a more elegant way to override this, I'd appreciate some advice.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...