Thanks For Downloading!Review the documentation below and follow any custom installation steps. If no install steps are listed, most Splunk Apps and Add-ons can be installed as follows: Windows: Decompress the downloaded file using a tool like 7-Zip and place the resulting folder into Unix/Linux: Decompress the downloaded file using a tool like DescriptionThe Splunk for Cisco Firewalls technology add-on is a collection of inputs, field extractions, and other search-time knowledge that is used to drive reporting and search for data collected from Cisco firewall devices - FWSM, Pix, ASA. This add-on can be used standalone, or it can be installed with the Cisco Security Suite umbrella app and other Cisco Security Suite apps and add-ons to provide a single pane of glass interface and get out of box reports on Cisco firewall devices and other Cisco technology data. Important note: This add-on, under its new name, Splunk for Cisco Firewalls, replaces the older and very popular Cisco Firewalls and contains all of the functionality of its predecessor plus the enhancements listed in the release notes below. Additional information and download for Cisco Security Suite can be found on Splunkbase. The other Cisco Security Suite apps and add-ons include:
Installation and configuration instructions for this add-on can be found in the README file within the downloaded package. Versions and Release Notes
Version 2.0 (current version - updated Jan 25, 2013)
release notes:
Reports and dashboards have been removed from the plug-in and placed in the Cisco Security Suite. Please download the Cisco Security Suite for the search head components.
Version 1.0.1
(updated May 21, 2011)
release notes:
Resolved minor issue (SOLN-1639) within the Cisco Firewall dashboards that causes a “ValueError(22,”Invalid Argument”) error when running Cisco Firewall on a Windows system.
Version 1.0.0
(updated Mar 11, 2011)
release notes:
- Updated to provide compatibility with Splunk 4.2 |
To fix the transforms ( doesn't see incoming data and label it correctly )
Go to file:
/opt/splunk/etc/apps/Splunk_CiscoFirewalls/default/transforms.conf
Search for:
[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
#REGEX = %ASA-\d+-\d+
REGEX = %ASA--\d+-\d+
FORMAT = sourcetype::cisco_asa
Change to:
[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = %ASA-\d+-\d+
#REGEX = %ASA--\d+-\d+
FORMAT = sourcetype::cisco_asa
ASA SYSLOG messages have a single '-' not '--', at least in my implementation.
Great help! Thank you.
THANK YOU!
Many thanks, hopefully this will be fixed in future versions.
I have no idea why that transform was changed as I've never seen log messages with two dashes from ASA.
BUG REPORT:
WARN SearchOperator:kv - Invalid key-value parser, ignoring it, transform_name='product_static_IDS'
(Below should read product _ static)
$ grep -ir product_static .
./default/transforms.conf:[product_static_ACS]
./default/transforms.conf:[product_static_ASA]
./default/transforms.conf:[product_static_FWSM]
./default/transforms.conf:[product_static_PIX]
./default/transforms.conf:[product_static_IOS]
./default/props.conf:REPORT-product_for_sourcetype_cisco_xml = product_static_IDS
./default/props.conf.bak:REPORT-product_for_sourcetype_cisco_xml = product_static_IDS
./default/props.conf.bak:REPORT-product_for_sourcetype_cisco_acs = product_static_ACS
./default/props.conf.bak:REPORT-product_for_sourcetype_cisco_asa = product_static_ASA
./default/props.conf.bak:REPORT-product_for_sourcetype_cisco_FWSM = product_static_FWSM
./default/props.conf.bak:REPORT-product_for_sourcetype_cisco_pix = product_static_PIX
./default/props.conf.bak:REPORT-product_for_sourcetype_cisco_ios = product_static_IOS
Not sure if this is the rioght place but I've added a quick and dirty field extraction to process the ACL logs interfaces and ips.
106023: Deny \w+ src (?P<src_if>\S+):(?P<src_ip>\S+) dst (?P<dest_if>\S+):(?P<dest_ip>\S+)
I have not extracted the protocol (first w+) because the actual cisco for ASA gets it right on its own.
Thanks.
Recommend adding transform to extract fields in a shun event for cisco syslog error_code=401002 and error_code=401003
Example events:
11:08:15.000 PM Oct 25 23:08:15 mypix %PIX-4-401002: Shun added: 123.123.123.123 0.0.0.0.0 0 0host=mypix 11:15:15.000 PM Oct 25 23:15:15 mypix %PIX-4-401003: Shun deleted: 123.123.123.123 host=mypix
Transform:
[ciscosyslog-shun added]
REGEX = \s+Shun\s(added)\:\s([\d+\.]+\d+)\s([\d+\.]+\d+)\s
FORMAT = shun_action::$1 shun_host::$2 shun_mask::$3
[ciscosyslog-shun deleted]
REGEX = \s+Shun\s(deleted)\:\s([\d+\.]+\d+)
FORMAT = shun_action::$1 shun_host::$2
Change for the appropriate Cisco syslog device types to add the reports to
Props:
[cisco_pix] REPORT-pix = ciscosyslog-eventinfo, ciscosyslog-transport, ciscosyslog-user, ciscosyslog-src_dom_addr_port, ciscosyslog-dst_dom_addr_port, ciscosyslog-to_addr_port, ciscosyslog-from_addr_port, ciscosyslog-action-allowed,ciscosyslog-action-blocked, ciscosyslog-accessgroup, ciscosyslog-foreign_addr_port, ciscosyslog-local_addr_port, ciscosyslog-public_addr_port, ciscosyslog-duration, ciscosyslog-bytes, ciscosyslog-shun_added, ciscosyslog-shun_deleted
Please fix the next version with the following:
[ciscosyslog-to_addr_port]
REGEX = \s+to (?:([\w-_]+):)?(\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})(?:/([^\s,]+))?\s*
FORMAT = dest_dom::$1 dest_ip::$2 dest_port::$3
instead of what's included in the default:
.....(\S+))?\s*
With the default code, message we were seeing in our FW logs such as:
Feb 18 03:46:28 192.168.254.100 %ASA-6-303002: FTP connection from outside:xxx.xxx.xxx.xxx/33816 to inside:192.168.254.66/21, user anonymous Retrieved file
ended up with dest_ports of "21," instead of just "21".
Thanks.
