Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I get Splunk for Cisco ASA to recognize names for src or dest?

ronogle
Explorer
‎12-18-2014 07:55 AM

Our Cisco ASA logs sometimes contain names that represent objects instead of the IP address.

Example:
Dec 18 05:37:49 10.163.19.1 %ASA-6-302013: Built outbound TCP connection 1372634579 for outside:54.235.189.180/443 (54.235.189.180/443) to inside:IND062GFP016/29631 (216.37.41.4/56892)

In this example, you'll see IND062GFP016 instead of an IP address (in this case for a src). I know that we could put in all of our Cisco configs the command "no names" to remove the names. However, when I looked at the CIM, it shows that the src/dest (Network Traffic data model) is a string that can represent an IPv4, IPv6, or a name.

I created new regex statements to pull out the name and alias it to either the src or dest fields. However, now my threatlist reports are not working correctly.

So my questions are:
1. Can we really use names instead of IPs?
2. If we can, then is the other parts like threatlist searches broke?
3. Are my fixes for the props.conf correct or should they be in transforms.conf?

props.conf:
EXTRACT-dest_name-dest_port = (?i)to\s(\S+?):(?P[a-z0-9_-]+?)\/(?P\d+)
EXTRACT-dest_name = (?i)to\s(\S+?):(?P[a-z0-9_-]+?)\s
EXTRACT-src_name-src_port = (?i)for\s(\S+?):(?P[a-z0-9_-]+?)\/(?P\d+)

FIELDALIAS-src_for_cisco_asa_name = src_name as src
FIELDALIAS-dest_for_cisco_asa_name = dest_name as dest

0 Karma
Reply

mikaelbje
Motivator
‎12-18-2014 09:05 AM
  1. Yes, you can use names, but in order to use threat lists you might have to do a DNS lookup on the particular hostname to get the IP. I don't believe the ASA app accounts for this case.
  2. See 1
  3. EXTRACTs are perfectly valid, but since the app already uses transforms I'd advise you to put your regexes in transforms.conf and reference them in props.conf with REPORT-class_name = stanza_name_in_transforms.conf

Sensible stanza names might be cisco_destination_hostname_port, cisco_destination and cisco_source_hostname_port or just use the regexes already in transforms.conf as a base. An easy way to test your regex is through a site like Rubular.com

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...