Splunk Search

Help with search to monitor a firewall

splunker969
Communicator

We are trying to monitor Firewall events from' X ' Environment coming to Splunk. I took the all hosts (600 hosts) related to 'X' environment and created lookup. I am able to see all events with below search but the search is too expensive and takes almost 15 minutes. For security reasons I took all names of index and Ips .When i search I included them. Can any one help with the search?

Search -

 index=test1 OR index=test2*  OR index=test3* action=blocked dest=* NOT(msg="Deny TCP (no connection) from * flags RST  on interface *") (src_ip=*/* OR src_ip=*/* OR src_ip=*/* OR src_ip=*/*) | lookup hostlist.csv IP as dest | search list=y  | dedup dest_port src_ip dest_ip host rule
    | table  dest_port src_ip dest_ip host rule list

erickyi
Path Finder

try searching for ASA instead. you may need to define a lookup csv containing your ASA codes
e.g. my csv contains

106027  %ASA-4-106027   Error   Yes Port
107001  %ASA-1-107001   Error   Yes Attempt
107002  %ASA-1-107002   Error   Yes Attempt
109017  %ASA-4-109017   Error   Yes DoS


https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog.html
0 Karma

HiroshiSatoh
Champion

What is a lookup for ”lookup hostlist.csv IP as dest ”?

 index=test1 OR index=test2*  OR index=test3* action=blocked dest=* NOT(msg="Deny TCP (no connection) from * flags RST  on interface *") (src_ip=*/* OR src_ip=*/* OR src_ip=*/* OR src_ip=*/*) [|inputlookup hostlist.csv|fields IP|rename IP as dest ]

Use TERM for IP search
src_ip=TERM(1.1.1.1) OR src_ip=TERM(1.1.1.2)

Using fields reduces the required fields.
table xxx,xxx->fields xxx,xxx

splunker969
Communicator

Hi @ HiroshiSatoh .I performed above query you suggested .I am getting no results .

0 Karma

MuS
SplunkTrust
SplunkTrust

Sorry that this is not an answer more some ideas, but

“Some trusted people were chatting...here you go. Don’t mind the ‘what the hell is this’ commentary” 🙂

alt text

If you wonder about who the trusted people were, some of these guys https://www.splunk.com/blog/2017/09/26/the-splunktrust-2018-in-all-its-fezzed-glory.html

splunker969
Communicator

Thanks @ MuS .I very lucky and happy that Splunk trust team replied me .I believe 600 hosts so it is taking that long to check hosts for only 4 hours of data .

0 Karma

MuS
SplunkTrust
SplunkTrust

Okay some options here:

  • be as precise as possible in the base search and try to avoid * or NOT instead search for exactly what you want
  • after you done above, run the search in Fast Mode
  • is the lookup used to only get events for hosts in the lookup? If yes, do what @cmerriman suggests and try to add this to your base search [ | inputlookup hotlist.csv | dedup host | table host | format ] this will create a group of ((host=x) OR (host=y) OR ... and speeds up the search

cheers, MuS

0 Karma

splunker969
Communicator

Thanks @Mus

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...