Splunk Search

When searching ASA Syslog, Splunk claims "bytes" is a host.

Explorer

I don't understand how to get Splunk to properly parse the Teardown messages from my ASA cluster. It claims that "bytes" is a host, which it is not.

Here is an example of the messages that are being improperly attributed to "bytes": <190>May 14 2010 15:08:48: %ASA-6-302016: Teardown UDP connection 77425970 for outside:192.168.2.30/61031 to inside:IN-TDC1/53 duration 0:00:03 bytes 314

<190>May 14 2010 15:08:48: %ASA-6-302014: Teardown TCP connection 77426021 for outside:192.168.2.28/3838 to inside:172.30.21.41/135 duration 0:00:00 bytes 2630 TCP FINs (d397500)

Can anyone give me a pointer as to how I can get it to interpret the log correctly?

0 Karma

Explorer

While I appreciate the input from Lowell, it appears that this bug only occurs when I'm configured to send/receive the syslog messages via TCP. It cleared up when I blew out the database and started over with UDP 🙂

Super Champion

Is your sourcetype being detected as syslog? The syslog and similarity-named sourcetypes have a host field extraction setup by default that sometimes gets confused, and it seems that's what's happening here.

In the transforms.conf file contains the has the following regex, which is your problem.

[syslog-host]
...
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s
...

I ran it using a regex tool and it does in fact match "bytes" in the sample event you posted. So then bytes becomes the value for host. Whoops.

The simple way to fix this is to assign your input as a different/custom sourcetype. The other approach is to disable the syslog host extraction. Which may be less desirable as it could effect other syslog events your are indexing.

You can add your own custom sourcetype by adding an entry in your local props.conf file, like so:

[cisco_asa]
TIME_FORMAT = %b %d %Y %H:%M:%S
REPORT-syslog = syslog-extractions
SHOULD_LINEMERGE = False

Then you have to either setup a source matching rule that associates that input to your new sourcetype. How you set that part up will depend on how splunk's inputs are setup. If you are new to splunk and/or don't know where to get started, check out What's a Splunk index. It may take a bit to wrap your head around everything, but this is worth understanding and will save you time in the long run.

Explorer

Lowell - thank you for your quick reply.

This seems like a lot of effort...I'm really only going to be monitoring ASA units from this installation - is there any way we can simply exclude the word "bytes" and the following digits from being extracted?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!