Hi All, I am working on Cisco Firepower field extraction.
I got 2 different patterns mentioned below:
1. For the below one, I am getting action field either "Allow" or "Block" and I am able to extract that.
Jul 16 2020 17:47:00 %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.216.6.64, DstIP: 40.126.2.50, SrcPort: 57033, DstPort: 443, Protocol: tcp, IngressZone: in, EgressZone: out, ACPolicy: Azure-Policy-old, AccessControlRuleName: ASADmz_Internal_Access, Prefilter Policy: Allow_new, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 120, ResponderBytes: 66, NAPPolicy: Unknown
2. How can I write single extractor for action field to cover below type of logs? Field action would be unknown for below pattern I believe.
Jul 16 17:47:00 UTC: %FTD-session-6-305011: Built dynamic TCP translation from Inside:10.216.6.64/57035 to Outside:10.216.3.10/57035
The same issue I am facing with ASA firewall logs also.
Any direction would be highly appreciated.
Regards,
Tejas
@richgalloway Thanks for your prompt response.
Sorry I missed to mention that we have latest version of Splunk i.e. 8.0 both SH and HF.
So none of these apps or add-on are compatible and cisco estreamer for Splunk app is tested on unix platform. We have installed HF on Windows server.
Can you please suggest some other solution?
Regards,
Tejas