Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Cisco Router ACL Logs - How to Utilize in Cisco Se...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cisco Router ACL Logs - How to Utilize in Cisco Security App?
Hi All -
Just discovered Splunk, and I must say it's an amazing tool.
I've configured a router to send syslog messages to Splunk, and they are indeed being collected.
I've also installed the Cisco security app along with a few of its sub-apps.
The Cisco firewall app, though, doesn't seem to be able to read any of the data generated by the ACL deny log entries generated by my router. It seems these syslog entries are not in the same format as those which would be generated by a true ASA or PIX firewall. Still, I have all sorts of source IP / port and dest IP / port entries, so there is so much potential here! Any ideas on how I could make my current data readable by the Cisco Security Splunk app would be very much appreciated.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did like this:
severity=* index=ciscoios vendor_category="IP security"
| stats count(ACL_action) AS Amount BY host,ACL_name,ACL_serviceport,ACL_sourceip,ACL_destinationip,ACL_action
| table host Amount ACL_name,ACL_action,ACL_serviceport,ACL_sourceip,ACL_destinationip
Then you just have make your variables so the match your setup,I have done it like this:
severity=* index=ciscoios vendor_category="IP security"
| stats count(ACL_action) AS Amount BY host,ACL_name,ACL_serviceport,ACL_sourceip,ACL_destinationip,ACL_action
| table host Amount ACL_name,ACL_action,ACL_serviceport,ACL_sourceip,ACL_destinationip
But you need to extract the fiels so they match the names of the variables you use.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you need to do is field extract the same fields from the IOS ACL deny log entries. I've used the following quick rex's in the past to dig info from ACLs.
host="someIOSfirewall" %SEC-6-IPACCESSLOGP | rex field=_raw "list 101 denied (?
host="someIOSfirewall" %SEC-6-IPACCESSLOGP | rex field=_raw "list 101 denied (?
Just make the field names match what it is expecting, and the type to match, and you'll be set.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You'd actually want to do this with a field extraction, but you could test the field extraction with the rex tho.
Something like this in your local/props.conf
[host::x.y.z.b]
EXTRACT-ip_proto,src_address,src_port,etc = "list 101 denied (?
You'll need to customize the extracted field names to match.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your reply! I was looking for this answer as well... I'm new to this so your answer looks like greek to me, but hopefully can figure it out.
Where would I place rex's like those to have the Cisco Suite pick up those fields?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
