Re: Cisco Firewall Add-on - empty results

ahammond · ‎03-16-2012

In Security Suite under Firewall > Overview search shows no results, viewing the Inspect shows search eventtype="cisco_firewall" | bin _time span=5m | stats count by eventtype, src_ip, dest_ip, host,log_level_desc,event_desc, _time

If I remove each transform filter one at a time I find that neither log_level_desc or event_desc will return results, as if they do not exist in the indexed data. If I remove them both then results are displayed.

Where do I start looking?

bpad · ‎04-04-2012

My Sourcetype is 'cicso__asa' after fixing the regex, but in "Cisco Firewall overview" for example the field event_desc shows somethin like this:

\"Deny protocol src [interface_name:sourceaddress/source_port] dst interfacename:dest_address/dest_port [type {string}, code {code}] by accessgroup aclID\"

The other fields get extracted correctly. Perhaps someone has a hint?
Where ist the field event_desc defined? Can i manually edit it?
Thanks in advance

Bpad

bpad · ‎04-05-2012

Mine is also v8.2. What Versions are other people using? This ASA plugin is great and i hope i someone can help to fix this?!

cvajs · ‎04-04-2012

i notice this too but my data is from v8.2, must be an extraction issue in the base app?

cvajs · ‎03-16-2012

if its newer ASA then maybe you need to fix the regex for this source type
see http://splunk-base.splunk.com/answers/42936/cisco-asa-logging-format-change

Cisco Firewall Add-on - empty results

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

IM Landing Page Filter - Now Available

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud