- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Re: How to generate a report showing Cisco ASA Fir...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about this?
sourcetype="cisco:asa" | stats count BY rule
If you are using Identity Based Firewall and have the users identified by the ASA try this search:
sourcetype="cisco:asa" | chart count OVER rule BY user
These searches will work if you have the Cisco ASA Add-on installed.
See http://docs.splunk.com/Documentation/Splunk/6.2.2/Report/Createandeditreports for a primer on creating reports.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ended up with a very large result with the basic count search, so I added a couple of things to ignore, so instead of:
sourcetype="cisco:asa" | chart count OVER rule BY user
I went with:
sourcetype="cisco:asa" description!="Warning conditions" description!="Normal but significant conditions" | chart count OVER rule BY user
This returns error and Immediate action needed results only. I don't ignore the others, I just don't run the count with those included as often. Basically I run the immediate action needed and error type daily and the full count weekly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about this?
sourcetype="cisco:asa" | stats count BY rule
If you are using Identity Based Firewall and have the users identified by the ASA try this search:
sourcetype="cisco:asa" | chart count OVER rule BY user
These searches will work if you have the Cisco ASA Add-on installed.
See http://docs.splunk.com/Documentation/Splunk/6.2.2/Report/Createandeditreports for a primer on creating reports.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there,
Thank you for the reply, but my Splunk only have sourcetype=syslog only. i don't get any results for the 2 queries you have given. Do I need to install the Cisco Addon to get any meaningful information like that?
We have juniper firewalls as well and for them no new addon was required. maybe cisco logs differently.
Thank you nevertheless. if you have any other ideas let me know and I will try the addon as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, that add-on will provide the necessary field extractions for ASA. There's Add-ons for other technologies too. They offer similar functionality.
Using the add-ons saves you time creating regular expressions.
I don't have any experience with Juniper, but do a search for the app and you're likely to find something that works.
Link to the ASA Add-on: https://splunkbase.splunk.com/app/1620/
Other apps you might be interested in:
- Cisco Networks App for IOS and WLC: https://splunkbase.splunk.com/app/1352/
- Cisco Networks Add-on for IOS and WLC: https://splunkbase.splunk.com/app/1467
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot. I will certainly be trying the Add-on. Will come back here if i run into issues :).
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
