Hello,
I want to count the denials from the same source ip. How can I do this?
The Log looks like this:
May 28 07:22:30 aaa.aaa.aaa.aaa %ASA-4-106023: Deny icmp src MAN-TRANS-PIX:bbb.bbb.bbb.bbb dst MAN-PRIV-INFRA-DMZ1:dns1.man.internal (type 8, code 0) by access-group "MAN-TRANS-PIX_access_in" [0xe068225a, 0x0]
Thanks for help.
If you're looking for a specific source ip you can do this:
search for that source ip and denial events | stats count
If you're looking for a general count by source ip you can do this:
search for denial events | stats count by src_ip
Alternatively, this:
search for denial events | top src_ip
Other than that you may need to clarify your goal.
Now I've tried the search on another server with the same asa-logs. On this my search and counting works fine but on the production-server I get no results...
I am looking for a general count to get the sources which produces the most noise.
The count by src_ip producing no results. I think it's because the "MAN-TRANS-PIX:" in front of the IP. How can can I get these IP's out of this?
If you're looking for a specific source ip you can do this:
search for that source ip and denial events | stats count
If you're looking for a general count by source ip you can do this:
search for denial events | stats count by src_ip
Alternatively, this:
search for denial events | top src_ip
Other than that you may need to clarify your goal.
If you do not have that extraction, you are probably missing other usefull information. I suggest you install the free "Technology Add on for Cisco ASA" to all your indexers and search heads.
http://splunk-base.splunk.com/apps/58196/technology-add-on-for-cisco-asa
Thanks.
That was the problem.
If you don't yet have the source ip extracted into a field you can do something like this to get you started quickly:
... | rex "MAN-TRANS-PIX:(?<src_ip>(\d{1,3}\.){3}\d{1,3})" | ...