All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Missing Cisco ASA event types

marksnelling
Communicator
‎09-10-2012 05:42 AM

I've installed the Splunk for Cisco ASA app and the Cisco ASA Technology Add-On and am not getting anything showing up in the dashboard.
My Splunk instance is definitely collecting the firewall syslog data and the sourcetype cisco:asa is being applied but it doesn't look like the event types are being mapped.
Here's an example of some of the firewall logs:

Sep 10 13:38:59 a.b.c.d %ASA-4-106023: Deny tcp src Outside:x.x.x.x/y dst DMZ:x.x.x.x/y by access-group "Outside_access_in_1" [0x0, 0x0]
Sep 10 13:38:59 a.b.c.d %ASA-4-106023: Deny tcp src Outside:x.x.x.x/y dst Inside:x.x.x.x/y by access-group "Outside_access_in_1" [0x0, 0x0]
Sep 10 13:38:59 a.b.c.d %ASA-4-106023: Deny tcp src Outside:x.x.x.x/y dst Inside:x.x.x.x/y by access-group "Outside_access_in_1" [0x0, 0x0]
Sep 10 13:38:59 a.b.c.d %ASA-3-710003: TCP access denied by ACL from x.x.x.x/y to Outside:x.x.x.x/y
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kenth
Splunk Employee
Splunk Employee
‎09-10-2012 07:13 AM

Your setup of the app seems correct although your setup of the ASA does not. You need to enable "per access-list logging" which you do per rule. Set it to the level you output to syslog. Information if you want the build/teardowns, notifications if not.

Your log messages should now look like this:

"access-list ACL-outside permitted tcp outside/10.1.1.1(40599) -> inside/172.16.1.2(80) "

I'll consider adding the old log format to the TA later today.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kenth
Splunk Employee
Splunk Employee
‎09-10-2012 07:13 AM

Your setup of the app seems correct although your setup of the ASA does not. You need to enable "per access-list logging" which you do per rule. Set it to the level you output to syslog. Information if you want the build/teardowns, notifications if not.

Your log messages should now look like this:

"access-list ACL-outside permitted tcp outside/10.1.1.1(40599) -> inside/172.16.1.2(80) "

I'll consider adding the old log format to the TA later today.

0 Karma
Reply
Solved! Jump to solution

skytrain
Engager
‎10-18-2012 10:58 AM

Same problem here Kent, our ASA logs successfully to an index called 'firewall' and the log looks like this:

Oct 18 10:53:40 xxx.xxx.xxx.xxx %ASA-5-106100: access-list outside_access_out permitted udp inside/outside-if(46624) -> outside/xxx.xxx.xxx.xxx(53) hit-cnt 1 first hit

and yet the app's reporting 0 events.

Also, having the application understand the old format would also be very nice, but more importantly, a slightly more detailed documentation is necessary. Nowhere it said one should have a separate index called 'firewall' and we had to find it out by searching issues on this site.

Reply
Solved! Jump to solution

kenth
Splunk Employee
Splunk Employee
‎09-27-2012 10:01 AM

What are you logging? Probably not what you should.

Does it show up in Splunk at all? If it comes into Splunk but doesnt have the right sourcetypes etc then youve done something wrong during setup.

0 Karma
Reply
Solved! Jump to solution

rmcdonald17
New Member
‎09-26-2012 11:02 AM

I have the same issue but have the logging enables and still getting the same issue. anyone fix this?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...