How about this?
sourcetype="cisco:asa" | stats count BY rule
If you are using Identity Based Firewall and have the users identified by the ASA try this search:
sourcetype="cisco:asa" | chart count OVER rule BY user
These searches will work if you have the Cisco ASA Add-on installed.
See http://docs.splunk.com/Documentation/Splunk/6.2.2/Report/Createandeditreports for a primer on creating reports.
I ended up with a very large result with the basic count search, so I added a couple of things to ignore, so instead of:
sourcetype="cisco:asa" | chart count OVER rule BY user
I went with:
sourcetype="cisco:asa" description!="Warning conditions" description!="Normal but significant conditions" | chart count OVER rule BY user
This returns error and Immediate action needed results only. I don't ignore the others, I just don't run the count with those included as often. Basically I run the immediate action needed and error type daily and the full count weekly.
How about this?
sourcetype="cisco:asa" | stats count BY rule
If you are using Identity Based Firewall and have the users identified by the ASA try this search:
sourcetype="cisco:asa" | chart count OVER rule BY user
These searches will work if you have the Cisco ASA Add-on installed.
See http://docs.splunk.com/Documentation/Splunk/6.2.2/Report/Createandeditreports for a primer on creating reports.
Hi there,
Thank you for the reply, but my Splunk only have sourcetype=syslog only. i don't get any results for the 2 queries you have given. Do I need to install the Cisco Addon to get any meaningful information like that?
We have juniper firewalls as well and for them no new addon was required. maybe cisco logs differently.
Thank you nevertheless. if you have any other ideas let me know and I will try the addon as well.
Yes, that add-on will provide the necessary field extractions for ASA. There's Add-ons for other technologies too. They offer similar functionality.
Using the add-ons saves you time creating regular expressions.
I don't have any experience with Juniper, but do a search for the app and you're likely to find something that works.
Link to the ASA Add-on: https://splunkbase.splunk.com/app/1620/
Other apps you might be interested in:
- Cisco Networks App for IOS and WLC: https://splunkbase.splunk.com/app/1352/
- Cisco Networks Add-on for IOS and WLC: https://splunkbase.splunk.com/app/1467
Thanks a lot. I will certainly be trying the Add-on. Will come back here if i run into issues :).