Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cisco ASA versus FTD parsing

FPERVIL
Explorer
‎03-01-2024 10:50 AM

We have both Cisco ASA and FTD firewalls.  The ASA is parsing fine where the appropriate fields are extracted.  As for the FTD logs, I don't get the same treatment for the data.  I downloaded the Cisco Firepower Threat Defense FTD sourcetype app and installed it on the search heads because I only had the Splunk Add-on for Cisco ASA.  That didn't change anything.  

 

Mar 1 18:44:20 USxx-xx-FW01 : %ASA-6-302014: Teardown TCP connection 3111698504 for wan:208.87.237.180/8082 to cm-data:12.11.60.44/60113 duration 0:00:00 bytes 327 TCP FINs from wan

 

Mar 1 13:45:09 MXxx-EG-FTD01 : %FTD-6-302014: Teardown TCP connection 125127915 for CTL_Internet:194.26.135.230/41903 to CTL_Internet:123.243.123.218/33445 duration 0:00:30 bytes 0 Failover primary closed

 

As you can see the msgs are identical for both FWs but the ASA has lots of interest fields where the FTD only has a few.

Labels (2)
Labels
Tags (2)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎03-01-2024 01:36 PM

Splunk doesn't apply any inherent extraction for data as you illustrated. (By default, it extracts key-value pairs connected by equal (=) sign, and some structured raw events such as JSON.)  If you see more fields in ASA feeds, it must be the doing of Splunk Add-on for Cisco ASA.  You need to open up that add-on and see what it is doing.  Then, you can copy it if that is within copyrights.  Or you can develop your own extraction strategy to emulate what Splunk Add-on for Cisco ASA does, or more.

Given that the two data sources are so close in format, there is also a possibility that Splunk Add-on for Cisco ASA has some configuration you can tweak to include the FTD data type.  Consult its documentation, or contact the developers.

This board used to have an app forum that I no longer see.  Maybe it is now Splunk Dev?  You can if Splunk Add-on for Cisco ASA developers are in that forum.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎03-01-2024 01:32 PM

I don't think that's the right app to read those events.  In any case, the app you have installed had its latest release in 2018 and references no Splunk version higher than 7.1, so it looks abandoned.

Instead, it looks like the  "Cisco Secure eStreamer Client Add-On for Splunk" (https://splunkbase.splunk.com/app/3662) might extract fields from records with FTD in them.  It seems like it focuses on events 430001, 430002, 430003 and 430005.  Still, it's worth a shot.

Indeed, right now you could see if you have those - try a search like

index=<your cisco index> FTD (430001 OR 430002 OR 430003 OR 430005)

If that returns a few items (or lots), then the app I mention above should turn that into useful fields.

If that search does NOT return any events, ... well, widen the time frame.  These seem like they might be less common events, not run of the mill "every tcp session makes 42 zillion of them" so it's possible there's only a few per day or something.

In any case, happy splunking and I hope you find what you need!

-Rich

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...