Splunk Enterprise Security

Cisco ASA Add-On for Splunk ES

Volto
Path Finder

Hi,

I'm trying to get Cisco ASA firewall logs into the Enterprise Security app. Is there an add-on for that, Splunk for Cisco ASA, or is it only supported in Cisco Security Suite?

Thanks,

Volto

sbrant_splunk
Splunk Employee
Splunk Employee

A new add-on has just been released. The Splunk Add-on for Cisco ASA supports the Common Information Model and therefore works with Enterprise Security.

http://apps.splunk.com/app/1620/

0 Karma

Gilberto_Castil
Splunk Employee
Splunk Employee

Splunk for Cisco Firewalls (http://apps.splunk.com/app/527) is compatible with Splunk for Enterprise Security.


In the past we had to associate the TA with the ES App so the following may be relevant to this TA. If adding the TA vanilla does not render the events, keep in mind that there is model by which a certain TSIDX is populated by specific apps, based on the TA model. To ensure this TA works with ES you will have to do the following:

  1. Provide the appropriate eventtype
  2. Associate a tag to the eventtype
  3. Share the TA’s content to the Network Protection Domain App.

Here is how to do that:

Provide the appropriate eventtype

Write the following stanza to the file $SPLUNK_HOME/etc/apps/Splunk_CiscoFirewalls/local/eventtypes.conf

[cisco_firewall_communicate]
search = sourcetype="cisco_firewall" action="*"
#tags = communicate

Associate a tag to the eventtype

Write the following stanza to the file $SPLUNK_HOME/etc/apps/Splunk_CiscoFirewalls/local/tags.conf

[eventtype=cisco_firewall_communicate]
communicate = enabled

Share the TA’s content to the Network Protection Domain App.

Add Splunk_CiscoFirewalls into $SPLUNK_HOME/etc/apps/SA-NetworkProtection/metadata/local.meta in SA-NetworkProtection, somewhere among other TAs:

[]
access = read : [ * ], write : [ admin ]
export = system
version = 5.0.3
modtime = 1364401044.633878000
import = DA-ESS-AccessProtection, DA-ESS-EndpointProtection, DA-ESS-IdentityManagement, DA-ESS-NetworkProtection, SA-AccessProtection, SA-AuditAndDataProtection, SA-CommonInformationModel, SA-EndpointProtection, SA-Eventgen, SA-IdentityManagement, SA-NetworkProtection, SA-ThreatIntelligence, SA-Utils, sideview_utils, Splunk_TA_nix, Splunk_TA_windows, SplunkEnterpriseSecuritySuite, TA-airdefense, TA-alcatel, TA-bluecoat, TA-cef, TA-checkpoint, TA-fireeye, TA-flowd, TA-fortinet, TA-ftp, TA-ip2location, TA-juniper, TA-mcafee, TA-ncircle, TA-nessus, TA-nmap, TA-oracle, TA-ossec, TA-paloalto, TA-rsa, TA-sav, TA-sep, TA-snort, TA-sophos, TA-splunk, TA-tippingpoint, TA-trendmicro, TA-websense, search, Splunk_CiscoFirewalls

--

After this there is a bit of housekeeping. We need to add a local override to SplunkEnterpriseSecuritySuite/default/inputs.conf. There is a modular input which automatically adds the import to all appropriate apps. Simply apply the local override and restart.

Here is the default configuration:

## Update the meta-data
[app_imports_update://update_es]
app_regex = (TA-.*)|(Splunk_TA_.*)|(sideview_utils)|(SplunkEnterpriseSecuritySuite)|(DA-.*)|(SA-.*)
apps_to_update = SA-AccessProtection,SA-CommonInformationModel,SA-AuditAndDataProtection,SA-EndpointProtection,SA-IdentityManagement,SA-NetworkProtection,SA-ThreatIntelligence,SA-Utils,SA-Eventgen
disabled = 1

Here would be the local override:

## SplunkEnterpriseSecuritySuite/local/inputs.conf
[app_imports_update://update_es]
app_regex = (TA-.*)|(Splunk_TA_.*)|(sideview_utils)|(SplunkEnterpriseSecuritySuite)|(DA-.*)|(SA-.*)|(Splunk_CiscoFirewalls)

sowings
Splunk Employee
Splunk Employee

There are some base transforms within the Cisco Security Suite app that you can use to get information out of the ASA logs, but unfortunately, it's not "ready-made" for use with ES. You can bridge the gap with some FIELDALIAS commands in props.conf, coupled with the Splunk Common Information Model docs linked below. Splunk ES uses the Common Information Model to abstract away vendor-specific details about the log events to get at "generic firewall event", "generic malware detection", etc. I'm sorry it's not an easier answer at the moment.

http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/UnderstandandusetheCommonInformationMode...

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!