Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extracting Report from CISCO FW Logs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extracting Report from CISCO FW Logs
We have installed Splunk recently and forwarding our Cisco FW logs through syslog. We have also installed the Splunk for Cisco Security app from splunkbase. I am getting the logs forwarded to Splunk but somehow not able to extract the search results in a report. I need the extraction to show me:
Date SourceIP Protocol DestinationIP Protocol Action
what i get in my search is all raw data which is not helping me troubleshooting my rules. Can anyone point me on how can i extract the report in csv with only the above needed fields.
Hope to get some help here.
Best Regards
Mangesh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am pretty new with this tool, can you please upload the extraction you did from my logs. I will check what steps i am missing here. If possible also if you can let me know the steps you did for same.
It will be a great help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Cisco Firewall app has support for ASA logs. Did you install this app (not just the Cisco Security app)? If yes, you should read the README.txt contained in the app's root directory and make sure you've installed the app properly per the instructions listed there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just tried some extractions from the firewall app on the log sample you supplied and they work properly. So, your log support seems not to be installed correctly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes ASA logs support has been installed correctly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its the CISCO ASA FW. Below is the search result, need to extract only the sourceip protocol destination protocol and action in a csv file for further troubleshooting:
2012-07-01 10:34:42 local6.info 10.X.X.X 10.X.X.X :Jul 01 10:34:40 UTC: %ASA-session-6-302013: Built outbound TCP connection 26867062 for DMZ_OUT:1X.X.X.X/4XX (1X.X.X.X/4XX) to DMZ_IN:1X.X.X.X/25693 (1X.X.X.X/25693)\n
Best Regards
Mangesh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What Cisco firewall is it? Could you please post some sample data (anonymized if needed)?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
