Hi,
I'm trying to get Cisco ASA firewall logs into the Enterprise Security app. Is there an add-on for that, Splunk for Cisco ASA, or is it only supported in Cisco Security Suite?
Thanks,
Volto
A new add-on has just been released. The Splunk Add-on for Cisco ASA supports the Common Information Model and therefore works with Enterprise Security.
Splunk for Cisco Firewalls (http://apps.splunk.com/app/527) is compatible with Splunk for Enterprise Security.
In the past we had to associate the TA with the ES App so the following may be relevant to this TA. If adding the TA vanilla does not render the events, keep in mind that there is model by which a certain TSIDX is populated by specific apps, based on the TA model. To ensure this TA works with ES you will have to do the following:
Here is how to do that:
Provide the appropriate eventtype
Write the following stanza to the file $SPLUNK_HOME/etc/apps/Splunk_CiscoFirewalls/local/eventtypes.conf
[cisco_firewall_communicate]
search = sourcetype="cisco_firewall" action="*"
#tags = communicate
Associate a tag to the eventtype
Write the following stanza to the file $SPLUNK_HOME/etc/apps/Splunk_CiscoFirewalls/local/tags.conf
[eventtype=cisco_firewall_communicate]
communicate = enabled
Share the TA’s content to the Network Protection Domain App.
Add Splunk_CiscoFirewalls into $SPLUNK_HOME/etc/apps/SA-NetworkProtection/metadata/local.meta
in SA-NetworkProtection, somewhere among other TAs:
[]
access = read : [ * ], write : [ admin ]
export = system
version = 5.0.3
modtime = 1364401044.633878000
import = DA-ESS-AccessProtection, DA-ESS-EndpointProtection, DA-ESS-IdentityManagement, DA-ESS-NetworkProtection, SA-AccessProtection, SA-AuditAndDataProtection, SA-CommonInformationModel, SA-EndpointProtection, SA-Eventgen, SA-IdentityManagement, SA-NetworkProtection, SA-ThreatIntelligence, SA-Utils, sideview_utils, Splunk_TA_nix, Splunk_TA_windows, SplunkEnterpriseSecuritySuite, TA-airdefense, TA-alcatel, TA-bluecoat, TA-cef, TA-checkpoint, TA-fireeye, TA-flowd, TA-fortinet, TA-ftp, TA-ip2location, TA-juniper, TA-mcafee, TA-ncircle, TA-nessus, TA-nmap, TA-oracle, TA-ossec, TA-paloalto, TA-rsa, TA-sav, TA-sep, TA-snort, TA-sophos, TA-splunk, TA-tippingpoint, TA-trendmicro, TA-websense, search, Splunk_CiscoFirewalls
--
After this there is a bit of housekeeping. We need to add a local override to SplunkEnterpriseSecuritySuite/default/inputs.conf
. There is a modular input which automatically adds the import to all appropriate apps. Simply apply the local override and restart.
Here is the default configuration:
## Update the meta-data
[app_imports_update://update_es]
app_regex = (TA-.*)|(Splunk_TA_.*)|(sideview_utils)|(SplunkEnterpriseSecuritySuite)|(DA-.*)|(SA-.*)
apps_to_update = SA-AccessProtection,SA-CommonInformationModel,SA-AuditAndDataProtection,SA-EndpointProtection,SA-IdentityManagement,SA-NetworkProtection,SA-ThreatIntelligence,SA-Utils,SA-Eventgen
disabled = 1
Here would be the local override:
## SplunkEnterpriseSecuritySuite/local/inputs.conf
[app_imports_update://update_es]
app_regex = (TA-.*)|(Splunk_TA_.*)|(sideview_utils)|(SplunkEnterpriseSecuritySuite)|(DA-.*)|(SA-.*)|(Splunk_CiscoFirewalls)
There are some base transforms within the Cisco Security Suite app that you can use to get information out of the ASA logs, but unfortunately, it's not "ready-made" for use with ES. You can bridge the gap with some FIELDALIAS commands in props.conf, coupled with the Splunk Common Information Model docs linked below. Splunk ES uses the Common Information Model to abstract away vendor-specific details about the log events to get at "generic firewall event", "generic malware detection", etc. I'm sorry it's not an easier answer at the moment.