All Apps and Add-ons

Cisco Security Suite: Why is Splunk Add-on for Cisco ASA lookup definition for "action" not working?

Richfez
SplunkTrust
SplunkTrust

EDIT : New information at the end.

When I run a search over our ASA, all the fields defined by the splunk_ta_cisco-asa work except one. I have severity lookups and vendor classes, but I have no "action" defined even though it should be. This is important because a lot of graphs in the network side of the Cisco Security Suite require "action" to be defined in order to report.

I'm not an expert by any means, but I spent time last week trying to track down how it should be doing what it doesn't quite do, but I still can't figure out why it's not working.

In props.conf, the lookup for action is defined right next to several lookups that work fine (like the severity lookup).
LOOKUP-cisco-asa-action_lookup = cisco_action_lookup vendor_action OUTPUT action

In transforms.conf, again next to others that work fine, the cisco_action_lookup is defined.
[cisco_action_lookup]
filename = cisco_action_lookup.csv

So, one of the broken searches is this:
eventtype=cisco-firewall action="*" | timechart count by action

It is easy to modify it to be a working search and test that the lookup actually works by just manually specifying the lookup ahead of search action="":
`eventtype=cisco-firewall | lookup cisco_action_lookup vendor_action OUTPUT action | search action="
" | timechart count by action`

The fixed search returns data with action fully populated, unlike the unfixed search.

UPDATE : I have found out more and though it still doesn't make sense to me, perhaps it will to someone.

If I aliased the output field at the end so:
LOOKUP-cisco_action_lookup = cisco_action_lookup vendor_action OUTPUT action AS aa_action
then aa_action shows up just fine.

When I again remove the alias, action disappears from the output.

UNLESS I run a wide enough search (a day's worth of data or more) then I can sometimes find ONE "action" set to "unknown". So when aliased to aa_action, it shows up on about 20-35% of the events depending on what time period you pick. When not aliased, I get approximately one "action" per million events and it's set to unknown. (And it is indeed an odd line).

Can "action" be being unset somehow? Early on I grepped through the etc folders making sure, but I could have missed something. How best to find such a thing, if this is what's happening?

0 Karma
1 Solution

joelyon
Explorer

I also had the same issue with the Splunk_TA_cisco-asa ver 3.2.

issue earlier today... I believe the problem with version 3.2 is that two LOOKUP statements at the end of the cisco:asa sourcetype section were incomplete, causing the "action" LOOKUP to not be exercised correctly....

Here are the corrected/completed  LOOKUP statements:
LOOKUP-cisco_asa_change_analysis = cisco_asa_change_analysis_lookup message_id OUTPUTNEW change_class change_description action change_type object_type
LOOKUP-cisco-asa_severity_expansion = cisco_asa_syslog_severity_lookup log_level OUTPUT severity_level description

This corrected the problem for me.

View solution in original post

joelyon
Explorer

I also had the same issue with the Splunk_TA_cisco-asa ver 3.2.

issue earlier today... I believe the problem with version 3.2 is that two LOOKUP statements at the end of the cisco:asa sourcetype section were incomplete, causing the "action" LOOKUP to not be exercised correctly....

Here are the corrected/completed  LOOKUP statements:
LOOKUP-cisco_asa_change_analysis = cisco_asa_change_analysis_lookup message_id OUTPUTNEW change_class change_description action change_type object_type
LOOKUP-cisco-asa_severity_expansion = cisco_asa_syslog_severity_lookup log_level OUTPUT severity_level description

This corrected the problem for me.

View solution in original post

Richfez
SplunkTrust
SplunkTrust

Changing those two lines did the trick!

0 Karma

vmicovic2
Explorer

hi, i have latest version, 3.4.0 and have similar problem...
3 errors occurred while the search was executing. Therefore, search results might be incomplete. Hide errors.

Could not load lookup=LOOKUP-cisco-asa-action_lookup
Could not load lookup=LOOKUP-cisco-pix-action_lookup
Could not load lookup=LOOKUP-cisco_fwsm_action_lookup

i am not sure where i need to fix this, can you please explain?

tnx.

Richfez
SplunkTrust
SplunkTrust

@vmocovic2,
You are probably better off asking a new question, since this question was closed and answered 4 years ago.

(Also - I'd look at your various lookup permissions , but if you post this with some supporting information as a new question I'm sure you'll get a LOT more detail to help you solve your problem faster and better!)

0 Karma

rtrobock
New Member

Looks like in 3.2.4, the severity_expansion lookup is still not complete

0 Karma

jordanperks
Path Finder

I am currently experiencing the exact same issue. If, in the automatic lookup, I change the was the action field is displayed to "action1" I get an action1 field. If I go back to action I get nothing.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Yes, I've opened a case on this because it seems that it's not quite a "Cisco Security Suite" problem, more of just a LOOKUP issue. I have done a bit more work trying to decide where the problem lies:

I have found that disabling the other couple of apps that "create" an action field and commenting out all the remaining places it might get created does not fix the issue.

I also found that recreating that lookup in etc/apps/search/local/transforms.conf and props.conf, then removing them entirely from the Cisco ASA TA also does not make them work (except for that once-in-a-million event that appears to be tagged correctly as "action=unknown"

I may need to update the answer, here, or perhaps close this one and re-open a new answers question excluding (or minimizing) the Cisco Security Suite side of things.

0 Karma

jordanperks
Path Finder

Everything you tried, I also tried with the same results as you.

0 Karma

jordanperks
Path Finder

I have found a workaround that will populate the data model/ES dashboards effectively, but still do not have any luck in search. For now I have a built a quick macro for manually invoking the lookup in search. I would be very interested in what you find out.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!