Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I get Splunk for Cisco ASA to recognize names for src or dest?

ronogle
Explorer
‎12-18-2014 07:55 AM

Our Cisco ASA logs sometimes contain names that represent objects instead of the IP address.

Example:
Dec 18 05:37:49 10.163.19.1 %ASA-6-302013: Built outbound TCP connection 1372634579 for outside:54.235.189.180/443 (54.235.189.180/443) to inside:IND062GFP016/29631 (216.37.41.4/56892)

In this example, you'll see IND062GFP016 instead of an IP address (in this case for a src). I know that we could put in all of our Cisco configs the command "no names" to remove the names. However, when I looked at the CIM, it shows that the src/dest (Network Traffic data model) is a string that can represent an IPv4, IPv6, or a name.

I created new regex statements to pull out the name and alias it to either the src or dest fields. However, now my threatlist reports are not working correctly.

So my questions are:
1. Can we really use names instead of IPs?
2. If we can, then is the other parts like threatlist searches broke?
3. Are my fixes for the props.conf correct or should they be in transforms.conf?

props.conf:
EXTRACT-dest_name-dest_port = (?i)to\s(\S+?):(?P[a-z0-9_-]+?)\/(?P\d+)
EXTRACT-dest_name = (?i)to\s(\S+?):(?P[a-z0-9_-]+?)\s
EXTRACT-src_name-src_port = (?i)for\s(\S+?):(?P[a-z0-9_-]+?)\/(?P\d+)

FIELDALIAS-src_for_cisco_asa_name = src_name as src
FIELDALIAS-dest_for_cisco_asa_name = dest_name as dest

0 Karma
Reply

mikaelbje
Motivator
‎12-18-2014 09:05 AM
  1. Yes, you can use names, but in order to use threat lists you might have to do a DNS lookup on the particular hostname to get the IP. I don't believe the ASA app accounts for this case.
  2. See 1
  3. EXTRACTs are perfectly valid, but since the app already uses transforms I'd advise you to put your regexes in transforms.conf and reference them in props.conf with REPORT-class_name = stanza_name_in_transforms.conf

Sensible stanza names might be cisco_destination_hostname_port, cisco_destination and cisco_source_hostname_port or just use the regexes already in transforms.conf as a base. An easy way to test your regex is through a site like Rubular.com

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top