Getting Data In

Cisco Router ACL Logs - How to Utilize in Cisco Security App?

Engager

Hi All -

Just discovered Splunk, and I must say it's an amazing tool.

I've configured a router to send syslog messages to Splunk, and they are indeed being collected.
I've also installed the Cisco security app along with a few of its sub-apps.
The Cisco firewall app, though, doesn't seem to be able to read any of the data generated by the ACL deny log entries generated by my router. It seems these syslog entries are not in the same format as those which would be generated by a true ASA or PIX firewall. Still, I have all sorts of source IP / port and dest IP / port entries, so there is so much potential here! Any ideas on how I could make my current data readable by the Cisco Security Splunk app would be very much appreciated.

Thanks

New Member

I did like this:
severity=* index=ciscoios vendor_category="IP security"
| stats count(ACL_action) AS Amount BY host,ACL_name,ACL_serviceport,ACL_sourceip,ACL_destinationip,ACL_action
| table host Amount ACL_name,ACL_action,ACL_serviceport,ACL_sourceip,ACL_destinationip

Then you just have make your variables so the match your setup,I have done it like this:
severity=* index=ciscoios vendor_category="IP security"
| stats count(ACL_action) AS Amount BY host,ACL_name,ACL_serviceport,ACL_sourceip,ACL_destinationip,ACL_action
| table host Amount ACL_name,ACL_action,ACL_serviceport,ACL_sourceip,ACL_destinationip

But you need to extract the fiels so they match the names of the variables you use.

0 Karma

Explorer

What you need to do is field extract the same fields from the IOS ACL deny log entries. I've used the following quick rex's in the past to dig info from ACLs.

host="someIOSfirewall" %SEC-6-IPACCESSLOGP | rex field=_raw "list 101 denied (?[a-zA-Z]+) (?\d+.\d+.\d+.\d+)((?\d+)) -> (?\d+.\d+.\d+.\d+)((?\d+))" | chart sparkline count by src_address

host="someIOSfirewall" %SEC-6-IPACCESSLOGP | rex field=_raw "list 101 denied (?[a-zA-Z]+) (?\d+.\d+.\d+.\d+)((?\d+)) -> (?\d+.\d+.\d+.\d+)((?\d+))" | lookup geoip clientip as src_address | chart sparkline count by client_country | sort -count

Just make the field names match what it is expecting, and the type to match, and you'll be set.

0 Karma

Explorer

You'd actually want to do this with a field extraction, but you could test the field extraction with the rex tho.
Something like this in your local/props.conf

[host::x.y.z.b]
EXTRACT-ip_proto,src_address,src_port,etc = "list 101 denied (?[a-zA-Z]+) (?d+.d+.d+.d+)((?d+)) -> (?d+.d+.d+.d+)((?d+))"

You'll need to customize the extracted field names to match.

0 Karma

New Member

Thanks for your reply! I was looking for this answer as well... I'm new to this so your answer looks like greek to me, but hopefully can figure it out.

Where would I place rex's like those to have the Cisco Suite pick up those fields?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!