Solved: ASA Accessed URL log

antoniobp · ‎07-13-2012

Hi everyone,

I would like to know, how could I extract the source IP address?

I need a report from sources IP to "Accessed URL" (top 100) in Cisco ASA.

In the example below, the source IP is 10.2.22.65.

Jul 13 14:22:03 10.2.1.216 %ASA-5-304001: 10.2.22.65 Accessed URL 82.165.39.131:http://www.collajove.cat/img/content_bg.jpg

Best Regards

Antonio

rturk · ‎07-13-2012

Regex to the rescue! Try this:

sourcetype=your-sourcetype | rex "(?<src_ip>\d+.\d+.\d+.\d+) Accessed URL"

Hope the helps 🙂

antoniobp · ‎08-10-2012

Hi kenth,

It´s other good option, but I don´t manage Splunk´s appliances and is better for me to use only queries.

Best Regards

kenth · ‎08-09-2012

Or you could just download my Splunk for Cisco ASA app which has these extractions and also dashboards for them 🙂

antoniobp · ‎07-16-2012

Thank you so much R.Turk,

Regex is working fine 🙂

Have a good day

rturk · ‎07-13-2012

Regex to the rescue! Try this:

sourcetype=your-sourcetype | rex "(?<src_ip>\d+.\d+.\d+.\d+) Accessed URL"

Hope the helps 🙂

ASA Accessed URL log