Getting Data In

Cisco Firewalls Add-on host recognition problem

Narj
Path Finder

Hi all,

I've got the Cisco Firewall Addon (latest version with Security Suite) in and working, however I notice that it isn't recognising the host name properly; all events are showing as being from the box that my light forwarder is on. (host=myforwarderboxname)

It looks like this stanza in the transforms.conf will be the issue

[cisco_firewall_hostoverride]
DEST_KEY = MetaData:Host
REGEX = \S+\t\S+\s(.*)\t+
FORMAT = host::$1

However, I tried changing the regex to \s\d+:\d+:\d+\s(.*)\s\% (works on a field extraction) and restarting but this didn't work.

View source from splunk shows:

Sep 18 13:10:02 myfirewall %ASA-6-302014: Teardown TCP connection 54647599 for outside....

Is anyone else doing the same thing, and if so, how did you fix it? 🙂

Thanks!

EDIT:

Right, after some brain-ache, I found that I can fix this by editing:

/opt/splunk/etc/apps/Splunk_CiscoFirewalls/default/props.conf

And appending syslog-host on the end of the first transforms line, eg:

[source::...cisco]

TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_pix, force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_fwsm, force_sourcetype_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catchall, syslog-host

There must be a foolproof way of doing this... I know that if I upgrade the app, then this will probably get wiped out.

Do I need to add a one-liner in the local folder in a new props.conf?

ie: TRANSFORMS-syslog-host

Tags (4)
0 Karma
1 Solution

emotz
Splunk Employee
Splunk Employee

Why not put the props entry in
/opt/splunk/etc/apps/Splunk_CiscoFirewalls/local/props.conf so it isn't overwritten after upgrade.

[source::...cisco]
TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_pix, force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_fwsm, force_sourcetype_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catchall, syslog-host

You can always remove the ones you don't want it to call as well.

View solution in original post

0 Karma

emotz
Splunk Employee
Splunk Employee

Why not put the props entry in
/opt/splunk/etc/apps/Splunk_CiscoFirewalls/local/props.conf so it isn't overwritten after upgrade.

[source::...cisco]
TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_pix, force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_fwsm, force_sourcetype_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catchall, syslog-host

You can always remove the ones you don't want it to call as well.

View solution in original post

0 Karma

Narj
Path Finder

Many thanks! Much appreciated. 🙂

0 Karma

emotz
Splunk Employee
Splunk Employee

Yes - local always overrides default.
Yes you can put in a blank stanza if needed
Docs explain who wins here ->
http://docs.splunk.com/Documentation/Splunk/5.0.4/admin/Wheretofindtheconfigurationfiles

0 Karma

Narj
Path Finder

Thanks, that sounds like it'll work better! If there is a duplicate entry in the local folder, I take it that overrides the default one?

How do I effectively "remove" an entire stanza in the "local" version of the file by the way? just add a blank stanza by the same name or something?

0 Karma

Narj
Path Finder

Just noticed that this ASA app has a catch all transform for cisco, which could be problematic!

[force_sourcetype_for_cisco_catchall]
DEST_KEY = MetaData:Sourcetype
REGEX = :\s\%((SNMP|CDP|FAN|LINE|LINEPROTO|RTD|SYS|C\d+_[^-]+)-\d+-\S+)
FORMAT = sourcetype::cisco

That's not really an exhaustive list so you can end up with split sourcetype for cisco kit... I've commented that out for now, but as above... if there's a more elegant way to override this, I'd appreciate some advice.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!