Hi,
I am using the Splunk_TA_cisco-asa in the latest Version 3.1.0 and feeding ASA Syslogs.
As I run my ASA in Dual Stack with both IPv4 and IPv6, i saw that the following fields are not parsed correctly for some syslogs messages:
src_ipv6
dst_ipv6
The issue is that the IPv6 addresses are loosing the first part (here it is the "2001"):
the SYSLOG IDs in question are 302020 and 302021
Dec 17 13:10:00 172.16.10.220 Dec 17 2014 13:10:09 munlab-spyker1 : %ASA-6-302021: Teardown ICMP connection for faddr fe80::c671:feff:fe67:5e48/0 gaddr 2001:420:44e6:2010::2013/0 laddr 2001:420:44e6:2010::2013/0
dest_ipv6 = fe80::c671:feff:fe67:5e48
dvc = 172.16.10.220
host = 172.16.10.220
src_ipv6 = 420:44e6:2010::2013
transport = ICMP
Dec 17 13:09:58 172.16.10.220 Dec 17 2014 13:10:07 munlab-spyker1 : %ASA-6-302020: Built outbound ICMP connection for faddr fe80::c671:feff:fe67:5e48/0 gaddr 2001:420:44e6:2010::2013/0 laddr 2001:420:44e6:2010::2013/0
dest_ipv6 = fe80::c671:feff:fe67:5e48
direction = outbound
dvc = 172.16.10.220
host = 172.16.10.220
src_ipv6 = 420:44e6:2010::2013
transport = ICMP
Is this a known bug?
Thanks,
Toby
... View more