Splunk Search
Highlighted

Help with search to monitor a firewall

Communicator

We are trying to monitor Firewall events from' X ' Environment coming to Splunk. I took the all hosts (600 hosts) related to 'X' environment and created lookup. I am able to see all events with below search but the search is too expensive and takes almost 15 minutes. For security reasons I took all names of index and Ips .When i search I included them. Can any one help with the search?

Search -

 index=test1 OR index=test2*  OR index=test3* action=blocked dest=* NOT(msg="Deny TCP (no connection) from * flags RST  on interface *") (src_ip=*/* OR src_ip=*/* OR src_ip=*/* OR src_ip=*/*) | lookup hostlist.csv IP as dest | search list=y  | dedup dest_port src_ip dest_ip host rule
    | table  dest_port src_ip dest_ip host rule list
Highlighted

Re: Help with search to monitor a firewall

SplunkTrust
SplunkTrust

Sorry that this is not an answer more some ideas, but

“Some trusted people were chatting...here you go. Don’t mind the ‘what the hell is this’ commentary” 🙂

alt text

If you wonder about who the trusted people were, some of these guys https://www.splunk.com/blog/2017/09/26/the-splunktrust-2018-in-all-its-fezzed-glory.html

Highlighted

Re: Help with search to monitor a firewall

Communicator

Thanks @ MuS .I very lucky and happy that Splunk trust team replied me .I believe 600 hosts so it is taking that long to check hosts for only 4 hours of data .

0 Karma
Highlighted

Re: Help with search to monitor a firewall

SplunkTrust
SplunkTrust

Okay some options here:

  • be as precise as possible in the base search and try to avoid * or NOT instead search for exactly what you want
  • after you done above, run the search in Fast Mode
  • is the lookup used to only get events for hosts in the lookup? If yes, do what @cmerriman suggests and try to add this to your base search [ | inputlookup hotlist.csv | dedup host | table host | format ] this will create a group of ((host=x) OR (host=y) OR ... and speeds up the search

cheers, MuS

0 Karma
Highlighted

Re: Help with search to monitor a firewall

Communicator

Thanks @Mus

0 Karma
Highlighted

Re: Help with search to monitor a firewall

Champion

What is a lookup for ”lookup hostlist.csv IP as dest ”?

 index=test1 OR index=test2*  OR index=test3* action=blocked dest=* NOT(msg="Deny TCP (no connection) from * flags RST  on interface *") (src_ip=*/* OR src_ip=*/* OR src_ip=*/* OR src_ip=*/*) [|inputlookup hostlist.csv|fields IP|rename IP as dest ]

Use TERM for IP search
srcip=TERM(1.1.1.1) OR srcip=TERM(1.1.1.2)

Using fields reduces the required fields.
table xxx,xxx->fields xxx,xxx

Highlighted

Re: Help with search to monitor a firewall

Communicator

Hi @ HiroshiSatoh .I performed above query you suggested .I am getting no results .

0 Karma
Highlighted

Re: Help with search to monitor a firewall

Path Finder

try searching for ASA instead. you may need to define a lookup csv containing your ASA codes
e.g. my csv contains

106027  %ASA-4-106027   Error   Yes Port
107001  %ASA-1-107001   Error   Yes Attempt
107002  %ASA-1-107002   Error   Yes Attempt
109017  %ASA-4-109017   Error   Yes DoS


https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog.html
0 Karma