Splunk® Supported Add-ons

Splunk Add-on for Cisco ASA

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Release history for the Splunk Add-on for Cisco ASA

The latest version of the Splunk Add-on for Cisco ASA is version 4.1.0. See Release notes for the Splunk Add-on for Cisco ASA for release notes of this latest version.

Cisco ASA Version 4.0.2

Version 4.0.2 of the Splunk Add-on for Cisco ASA was released on June 24, 2020.

Compatibility

Version 4.0.2 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.2, 7.3, 8.0
CIM 4.15
Supported OS for data collection OS independent
Vendor products Cisco ASA v9.4, v9.12, v9.13
Supported Cisco ASA event message_ids 106001, 106006, 106007, 106012, 106014, 106015, 106016, 106017, 106020, 106021, 106023, 106100, 106103, 109025, 110002, 111001, 111004, 111008, 111009, 111010, 113003, 113004, 113005, 113008, 113009, 113011, 113012, 113019, 113039, 302010, 302013, 302014, 302015, 302016, 302020, 302021, 303002, 304001, 305011, 305012, 305013, 313001, 313004, 313005, 313009, 314001, 338301, 338302, 400013, 400032, 402119, 405001, 419002, 419003, 500001, 500002, 500003, 500004, 502101, 502102, 502103, 502111, 502112, 504001, 504002, 505001, 505002, 505003, 505004, 505005, 505006, 505007, 505008, 505009, 505010, 505011, 505012, 505013, 505014, 505015, 505016, 507003, 602101, 602303, 602304, 605005, 607001, 608001, 609001, 609002, 611101, 702307, 710002, 710003, 710005, 710006, 711004, 713041, 713049, 713075, 713119, 713120, 713130, 713154, 713160, 713162, 713163, 713166, 713167, 713172, 713184, 713185, 713198, 713199, 713228, 713903, 713905, 713906, 715001, 715009, 715038, 715046, 715065, 715076, 715080, 716001, 716002, 716014, 716015, 716016, 716038, 716039, 716058, 716059, 716603, 717009, 717016, 717022, 717024, 717025, 717027, 717028, 717029, 717030, 717036, 717037, 717056, 720041, 722001, 722003, 722010, 722011, 722012, 722022, 722023, 722028, 722029, 722030, 722031, 722032, 722033, 722034, 722036, 722037, 722041, 722051, 722053, 722055, 725001, 725002, 725003, 725006, 725007, 725008, 725010, 725011, 725012, 725014, 725016, 725017, 733100, 734001, 734003, 737001, 737003, 737006, 737016, 737026, 737034, 737035, 746012, 746013, 746014, 746015, 746016, 751025, 751026, 805001, 805002, 805003, 338002

Note: As of version 4.0.0 of the Splunk Add-on for Cisco ASA, Splunk does not support PIX and FWSM source types. To support this transition, version 3.4.0 will remain available for 90 days after the release of 4.0.0.

New or changed features

As of version 4.0.2 of the Splunk Add-on for Cisco ASA, the following features were added or changed:

Event type changes

The following event types have been added in version 4.0.2:

  • cisco_asa_vpn
  • cisco_asa_vpn_start
  • cisco_asa_vpn_end


The event type cisco_asa_change is now named cisco_asa_configuration_change

message_id changes

For the message_ids, CIM data models mappings have changed as follows:

message_id Old Data Model New Data Model
113004 Network Sessions Authentication
313004 Network Sessions Network Traffic
602303 Network Traffic Network Sessions
602304 Network Traffic Network Sessions
713228 Change Network Sessions
716038 Network Sessions, Authentication Authentication
716039 Network Sessions, Authentication Authentication

Mapping with CIM data models has been removed for the following message_ids.

713121, 713236, 714002, 714004, 714006, 714011, 715006, 715007, 715047, 715048, 715049, 715077, 771002

Fixed issues

Version 4.0.2 of the Splunk Add-on for Cisco ASA fixes the following issues:


Date resolved Issue number Description
2020-06-22 ADDON-26648 Cisco ASA: Issue with CIM mapping of Message ID - 113004
2020-06-22 ADDON-26852 Splunk Add-on for Cisco ASA missing eventtypes after upgrade to 4.0.1

Known issues

Version 4.0.2 of the Splunk Add-on for Cisco ASA has the following known issues:

Date filed Issue number Description
2020-07-24 ADDON-27927 Cisco ASA TA - cisco_asa_action_lookup.csv actions not consistent with CIM compliancy - network_traffic" DM (action=allowed OR action=blocked)

Workaround:
We have changed the lookup on the right actions in order to fix that.

sed -e 's/built,,built/built,,allowed/g' opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/lookups/cisco_asa_action_lookup.csv sed -e 's/permitted,,permitted/permitted,,allowed/g' opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/lookups/cisco_asa_action_lookup.csv sed -e 's/denied,,denied/denied,,blocked/g' opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/lookups/cisco_asa_action_lookup.csv sed -e 's/deny,,deny/deny,,blocked/g' opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/lookups/cisco_asa_action_lookup.csv

2020-07-24 ADDON-27928 Cisco ASA TA - new Regex doesn't pick up spaces

Workaround:
The workaround for me is to delete the \s in the group capturing of the Group field.

We have identify of lot of regex where it can happen and do those steps to workaround :

mkdir -p /opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/local/

  1. Taking all the "bad" regex with a group capturing the Group field

grep -C 1 "<Group>[^*\s]" /opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/default/transforms.conf > /opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/local/transforms0.conf

  1. Cleaning

sed 's/--//g' /opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/local/transforms0.conf > /opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/local/transforms1.conf

  1. Removing the "\s"

sed 's/<Group>\[^\\>\\s/<Group>\[^\\>/g' /opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/local/transforms1.conf > /opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/local/transforms.conf

  1. Cleaning

rm -rf transforms0.conf transforms1.conf

Maybe our network admins have not done things properly when they created those firewall groups with spaces but it's a reality in our context and we can't do anything about it

Third-party software attributions

Version 4.0.2 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 4.0.1

Version 4.0.1 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.2, 7.3, 8.0
CIM 4.15
Supported OS for data collection OS independent
Vendor products Cisco ASA v9.4, v9.12, v9.13
Supported Cisco ASA event message_ids 106001, 106006, 106007, 106012, 106014, 106015, 106016, 106017, 106020, 106021, 106023, 106100, 106103, 109025, 110002, 111001, 111004, 111008, 111009, 111010, 113003, 113004, 113005, 113008, 113009, 113011, 113012, 113019, 113039, 302010, 302013, 302014, 302015, 302016, 302020, 302021, 303002, 304001, 305011, 305012, 305013, 313001, 313004, 313005, 313009, 314001, 338301, 338302, 400013, 400032, 402119, 405001, 419002, 419003, 500001, 500002, 500003, 500004, 502101, 502102, 502103, 502111, 502112, 504001, 504002, 505001, 505002, 505003, 505004, 505005, 505006, 505007, 505008, 505009, 505010, 505011, 505012, 505013, 505014, 505015, 505016, 507003, 602101, 602303, 602304, 605005, 607001, 608001, 609001, 609002, 611101, 702307, 710002, 710003, 710005, 710006, 711004, 713041, 713049, 713075, 713119, 713120, 713121, 713130, 713154, 713160, 713162, 713163, 713166, 713167, 713172, 713184, 713185, 713198, 713199, 713228, 713236, 713903, 713905, 713906, 714002, 714004, 714006, 714011, 715001, 715006, 715007, 715009, 715038, 715046, 715047, 715048, 715049, 715065, 715076, 715077, 715080, 716001, 716002, 716014, 716015, 716016, 716038, 716039, 716058, 716059, 716603, 717009, 717016, 717022, 717024, 717025, 717027, 717028, 717029, 717030, 717036, 717037, 717056, 720041, 722001, 722003, 722010, 722011, 722012, 722022, 722023, 722028, 722029, 722030, 722031, 722032, 722033, 722034, 722036, 722037, 722041, 722051, 722053, 722055, 725001, 725002, 725003, 725006, 725007, 725008, 725010, 725011, 725012, 725014, 725016, 725017, 733100, 734001, 734003, 737001, 737003, 737006, 737016, 737026, 737034, 737035, 746012, 746013, 746014, 746015, 746016, 751025, 751026, 771002, 805001, 805002, 805003, 338002

Note: As of version 4.0.0 of the Splunk Add-on for Cisco ASA, Splunk does not support PIX and FWSM source types. To support this transition, version 3.4.0 will remain available for 90 days after the release of 4.0.0.


Version 4.0.0

Version 4.0.0 of the Splunk Add-on for Cisco ASA was released on April 21, 2020.

Compatibility

Version 4.0.0 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.2, 7.3, 8.0
CIM 4.15
Supported OS for data collection OS independent
Vendor products Cisco ASA v9.4, v9.12, v9.13
Supported Cisco ASA event message_ids 106001, 106006, 106007, 106012, 106014, 106015, 106016, 106017, 106020, 106021, 106023, 106100, 106103, 109025, 110002, 111001, 111004, 111008, 111009, 111010, 113003, 113004, 113005, 113008, 113009, 113011, 113012, 113019, 113039, 302010, 302013, 302014, 302015, 302016, 302020, 302021, 303002, 304001, 305011, 305012, 305013, 313001, 313004, 313005, 313009, 314001, 338301, 338302, 400013, 400032, 402119, 405001, 419002, 419003, 500001, 500002, 500003, 500004, 502101, 502102, 502103, 502111, 502112, 504001, 504002, 505001, 505002, 505003, 505004, 505005, 505006, 505007, 505008, 505009, 505010, 505011, 505012, 505013, 505014, 505015, 505016, 507003, 602101, 602303, 602304, 605005, 607001, 608001, 609001, 609002, 611101, 702307, 710002, 710003, 710005, 710006, 711004, 713041, 713049, 713075, 713119, 713120, 713121, 713130, 713154, 713160, 713162, 713163, 713166, 713167, 713172, 713184, 713185, 713198, 713199, 713228, 713236, 713903, 713905, 713906, 714002, 714004, 714006, 714011, 715001, 715006, 715007, 715009, 715038, 715046, 715047, 715048, 715049, 715065, 715076, 715077, 715080, 716001, 716002, 716014, 716015, 716016, 716038, 716039, 716058, 716059, 716603, 717009, 717016, 717022, 717024, 717025, 717027, 717028, 717029, 717030, 717036, 717037, 717056, 720041, 722001, 722003, 722010, 722011, 722012, 722022, 722023, 722028, 722029, 722030, 722031, 722032, 722033, 722034, 722036, 722037, 722041, 722051, 722053, 722055, 725001, 725002, 725003, 725006, 725007, 725008, 725010, 725011, 725012, 725014, 725016, 725017, 733100, 734001, 734003, 737001, 737003, 737006, 737016, 737026, 737034, 737035, 746012, 746013, 746014, 746015, 746016, 751025, 751026, 771002, 805001, 805002, 805003, 338002

Note: As of version 4.0.0 of the Splunk Add-on for Cisco ASA, Splunk does not support PIX and FWSM source types. To support this transition, version 3.4.0 will remain available for 90 days after the release of 4.0.0.

New or changed features

Version 4.0.0 of the Splunk Add-on for Cisco ASA has the following new or changed features:

  • Added segmenters.conf to let you filter timestamps from being added to the lexicon
  • Deprecated support for PIX and FWSM sourcetype and Malware datamodel
  • CIM v4.15 compatibility
  • Field extractions for supported Event IDs

Fixed issues

Version 4.0.0 of the Splunk Add-on for Cisco ASA fixes the following issues:


Date resolved Issue number Description
2020-04-06 ADDON-12426 Transposed directions not showing correctly

Known issues

Version 4.0.0 of the Splunk Add-on for Cisco ASA has the following known issues:

Date filed Issue number Description
2020-05-12 ADDON-26529 segmenters.conf making sourcetype=cisco:asa events not searchable by term when event doesn't match the FILTER = <regular expression>, because the segmentation will be turned off completely for those events

Workaround:
create props.conf in $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local

with the following stanza, rolling it back to system/default settings: [cisco:asa] SEGMENTATION = indexing

For affected data ingested, for example searching for an ip won't return results as expected: | search sourcetype=cisco:asa src=1.2.3.4 but searching for it with where or regex does: | search sourcetype=cisco:asa | where (src LIKE "1.2.3.4") | search sourcetype=cisco:asa | regex src="1\.2\.3\.4"

2020-05-08 ADDON-26486 Field Extractiion for IP should point to src_ip

Workaround:
[cisco_asa_message_id_113039]

REGEX = -113039:\s*Group\s*<?(?<Group>[^>\s]+)>?\s*User\s*<?(?<user>[^>\s]+)>?\s*IP\s*<?(?<dest_ip>[^\>,\s]+)>?

Change dest_ip by src_ip

[cisco_asa_message_id_113039] REGEX = -113039:\s*Group\s*<?(?<Group>[^>\s]+)>?\s*User\s*<?(?<user>[^>\s]+)>?\s*IP\s*<?(?<src_ip>[^\>,\s]+)>?

Third-party software attributions

Version 4.0.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.


Version 3.4.0

Version 3.4.0 of the Splunk Add-on for Cisco ASA was released on April 17, 2019.

Compatibility

Version 3.4.0 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM 4.x
Supported OS for data collection OS independent
Vendor products Cisco FWSM 3.x and 4.x, Cisco PIX 5.x and later

New or changed features

Version 3.4.0 of the Splunk Add-on for Cisco ASA has the following new or changed features:

  • Improved load balancing on the universal forwarder
  • IPV6 extractions are disabled by default

Fixed issues

Version 3.4.0 of the Splunk Add-on for Cisco ASA fixes the following issues:


Date resolved Issue number Description
2019-03-11 ADDON-16265 Incorrect transform for user field in ta-cisco-asa
2019-03-11 ADDON-21370 Values not extracted for 'command' field in certain events under sourcetype=cisco:asa

Known issues

Version 3.4.0 of the Splunk Add-on for Cisco ASA has the following known issues:

Date filed Issue number Description
2019-03-25 ADDON-21891 FIELDALIAS behavior is different for Splunk v7.2.0+ as mentioned in SPL-164505

Workaround:
Comment below in ~etc/apps/Splunk_TA_cisco-asa/default/props.conf:

FIELDALIAS-fwsm_acl_for_rule = acl as rule (in cisco:fwsm stanza)

FIELDALIAS-cisco_asa_tunnelgroup = tunnelgroup as group (in cisco:asa stanza)

 

Add below in ~etc/apps/Splunk_TA_cisco-asa/local/props.conf:

EVAL-rule=coalesce(acl, rule) (in cisco:fwsm stanza)

EVAL-group=coalesce(tunnelgroup, group)  (in cisco:asa stanza)

 

2016-11-29 ADDON-12426 Transposed directions not showing correctly

Workaround:
Add/modify below stanza in ~etc/apps/Splunk_TA_cisco-asa/local/transforms.conf:

[reverse_src_dest_for_outbound]

REGEX = (?:[Oo]utbound|[tT]eardown)\s+\S+\s+connection\s+\d+\s+for\s+(\S+)\s*:\s*([^\s\/\(]+)(?:\/(\w+))?(?:\((\S+)\))?\s*\(?([^\s\/\(]+)?\/?(\d+)?\)?\s+to\s+([^: ]+)\s*:\s*([^\s\/\(]+)(?:\/(\w+))?(?:\((\S+)\))?\s*\(?([^\s\/\(]+)?\/?(\d+)?\)? FORMAT = dest_zone::$1 dest_ip::$2 dest_port::$3 dest_user::$4 dest_translated_ip::$5 dest_translated_port::$6 src_zone::$7 src_ip::$8 src_port::$9 src_user::$10 src_translated_ip::$11 src_translated_port::$12

Third-party software attributions

Version 3.4.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

=Version 3.3.0

Version 3.3.0 of the Splunk Add-on for Cisco ASA was released on October 12, 2017. Version 3.3.0 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.5.x, 6.6.x, 7.0.x, 7.1.x, 7.2.x
CIM 4.11
Platforms Platform independent
Vendor Products Cisco ASA 5500 series, Cisco FWSM 3.x and 4.x, Cisco PIX 5.x and above

Fixed issues

Version 3.3.0 of the Splunk Add-on for Cisco ASA fixes the following issues.


Date resolved Issue number Description
2017-09-26 ADDON-15550 Transform.conf file convert unnecessary regex capturing groups to non capturing groups
2017-09-06 ADDON-15551 lookups/cisco_asa_vendor_class_lookup.csv has invalid entries for message ids 107*, 312*, 333* and 334*
2017-08-03 ADDON-14914 Cisco ASA TA does not specify TIME_FORMAT in props.conf for cisco:asa, cisco:fwsm and cisco:pix
2017-02-01 ADDON-13459, ADDON-13245 src_ip and src_port fields for not extracted for cisco_source_ipv4
2016-11-30 ADDON-12469, ADDON-11294 Improper tag assigned to NAT Events for eventtype cisco_connection

Known issues

Version 3.3.0 of the Splunk Add-on for Cisco ASA has the following known issues.


Date filed Issue number Description
2019-02-21 ADDON-21370 Values not extracted for 'command' field in certain events under sourcetype=cisco:asa
2018-06-12 ADDON-18377 Reversing src and dest in the ICMP related logs Splunk Add-On for Cisco ASA
2017-11-29 ADDON-16265 Incorrect transform for user field in ta-cisco-asa
2016-11-29 ADDON-12426 Transposed directions not showing correctly

Workaround:
Add/modify below stanza in ~etc/apps/Splunk_TA_cisco-asa/local/transforms.conf:

[reverse_src_dest_for_outbound]

REGEX = (?:[Oo]utbound|[tT]eardown)\s+\S+\s+connection\s+\d+\s+for\s+(\S+)\s*:\s*([^\s\/\(]+)(?:\/(\w+))?(?:\((\S+)\))?\s*\(?([^\s\/\(]+)?\/?(\d+)?\)?\s+to\s+([^: ]+)\s*:\s*([^\s\/\(]+)(?:\/(\w+))?(?:\((\S+)\))?\s*\(?([^\s\/\(]+)?\/?(\d+)?\)? FORMAT = dest_zone::$1 dest_ip::$2 dest_port::$3 dest_user::$4 dest_translated_ip::$5 dest_translated_port::$6 src_zone::$7 src_ip::$8 src_port::$9 src_user::$10 src_translated_ip::$11 src_translated_port::$12

Third-party software attributions

Version 3.3.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 3.2.6

Version 3.2.6 of the Splunk Add-on for Cisco ASA was released on July 18, 2016. Version 3.2.6 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 5.0 and later
CIM 3.0 and later
Platforms Platform independent
Vendor Products Cisco ASA 5500 series, Cisco FWSM 3.x and 4.x, Cisco PIX 5.x and above

Fixed issues

Version 3.2.6 of the Splunk Add-on for Cisco ASA fixes the following issues.

Date Defect number Description
2016-06-22 ADDON-9015 The user information cannot be extracted for some events.
2016-06-21 ADDON-9461 The default tag is incorrectly applied to all events of the cisco_authentication event type.
2016-06-17 ADDON-8738 The byte and transport fields are not properly normalized or calculated for CIM compliance.
2016-06-17 ADDON-10246 The user and domain/group fields are not extracted properly for some events.

Known issues

Version 3.2.6 of the Splunk Add-on for Cisco ASA contains no known issues.

Third-party software attributions

Version 3.2.6 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.


Version 3.2.5

Version 3.2.5 of the Splunk Add-on for Cisco ASA was released on April 1, 2016. Version 3.2.5 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 5.0 and above
CIM 3.0 and above
Platforms Platform independent
Vendor Products Cisco ASA 5500 series, Cisco FWSM 3.x and 4.x, Cisco PIX 5.x and above

Fixed issues

Version 3.2.5 of the Splunk Add-on for Cisco ASA fixes the following issues.

Resolved Date Defect number Description
2016-03-11 ADDON-7065 Performance issues in Splunk Enterprise Security related to tag expansions.
2016-03-14 ADDON-8256 Source/Destination IP addresses not being extracted properly.
2016-03-10 ADDON-7759 Remove legacy eventgen support.

Known issues

Version 3.2.5 of the Splunk Add-on for Cisco ASA has the following known issues.

Date Defect number Description
2014-12-17 ADDON-2728 Add-on does not support IPv6.

Third-party software attributions

Version 3.2.5 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 3.2.4

Version 3.2.4 of the Splunk Add-on for Cisco ASA has the same compatibility specifications as version 3.2.5.

Fixed issues

Version 3.2.4 of the Splunk Add-on for Cisco ASA fixes the following issues.

Resolved Date Defect number Description
2015-09-28 ADDON-5743 Add-on stores the signature_id number of Cisco ASA message in message_id field instead of signature_id.
2015-09-18 ADDON-5655 src and dest extractions fail when interface name contains a colon.
2015-09-17 ADDON-5613 The add-on defines event types as cisco:* which impacts other Cisco technologies that this add-on does not cover.
2015-09-15 ADDON-5257 Zone information does not go to standardized field names.
2015-09-09 ADDON-5304 VPN events do not have network tag.
2015-07-21 ADDON-4457 Regex to extract dest ip fails if there is a . in the interface name.

Known issues

Version 3.2.4 of the Splunk Add-on for Cisco ASA has the following known issues.

Date Defect number Description
2014-12-17 ADDON-2728 Add-on does not support IPv6.

Third-party software attributions

Version 3.2.4 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 3.2.3

Version 3.2.3 of the Splunk Add-on for Cisco ASA has the same compatibility specifications as version 3.2.4.

Fixed issues

Version 3.2.3 of the Splunk Add-on for Cisco ASA fixes the following issues.

Date Defect number Description
06/17/15 ADDON-4229 Duplicated values in lookup cisco_asa_severity_lookup.csv result in duplicated values in severity field.
06/17/15 ADDON-4021 Source types are not backwards compatible with old versions of the add-on that used "cisco_asa" or "cisco-asa".
06/16/14 ADDON-1107 Bug in eventgen rule_number field.
06/15/15 ADDON-4225 Field Alias src is used for both src_ip and src_ipv6.
06/09/15 ADDON-3916 Extraction for field user fails for certain actions.

Known issues

Version 3.2.3 of the Splunk Add-on for Cisco ASA has the following known issues.

Date Defect number Description
2015-09-23 ADDON-5743 Add-on stores the signature_id number of Cisco ASA message in message_id field instead of signature_id.
2015-09-17 ADDON-5655 src and dest extractions fail when interface name contains a colon.
2015-09-17 ADDON-5613 The add-on defines event types as cisco:* which impacts other Cisco technologies that this add-on does not cover.
2015-09-01 ADDON-5304 VPN events do not have network tag.
2015-08-31 ADDON-5257 Zone information does not go to standardized field names.
2015-07-03 ADDON-4457 Regex to extract dest ip fails if there is a . in the interface name.
2014-12-17 ADDON-2728 Add-on does not support IPv6.

Third-party software attributions

Version 3.2.3 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 3.2.2

Version 3.2.2 of the Splunk Add-on for Cisco ASA has the same compatibility specifications as version 3.2.3.

Fixed issues

Version 3.2.2 of the Splunk Add-on for Cisco ASA fixes the following issues.

Date Defect number Description
04/13/15 ADDON-3649 XML file names do not match pre-built panel titles.
04/10/15 ADDON-3357 Duration field extraction too narrow.
03/16/15 ADDON-3327 Typo in eventtypes.conf causes searches to fail.
03/11/15 ADDON-3357 Transposed src and dest directions.

Known issues

Version 3.2.2 of the Splunk Add-on for Cisco ASA has the following known issues.

Date Defect number Description
05/18/15 ADDON-4021 Source types are not backwards compatible with old versions of the add-on that used "cisco_asa" or "cisco-asa".
05/04/15 ADDON-3916 Extraction of "user" field fails.
12/17/14 ADDON-2728 Add-on does not support IPv6.
01/31/14 ADDON-1107 Bug in eventgen rule_number field.

Third-party software attributions

Version 3.2.2 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 3.2.1

Version 3.2.0 of the Splunk Add-on for Cisco ASA had the same compatibility specifications as Version 3.2.2.

Fixed issues

Version 3.2.1 of the Splunk Add-on for Cisco ASA fixed the following issues.

Date Defect number Description
02/04/15 ADDON-3067 Field "action" looked up by cisco_asa_change_analysis_lookup overrides action from cisco_action_lookup.
02/04/15 ADDON-3142 Field "action" contains some duplicated values.

Known issues

Version 3.2.1 of the Splunk Add-on for Cisco ASA had no reported known issues.

Third-party software attributions

Version 3.2.1 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 3.2.0

Version 3.2.0 of the Splunk Add-on for Cisco ASA had the same compatibility specifications as Version 3.2.2.

New features

Version 3.2.0 of the Splunk Add-on for Cisco ASA included the following new features.

Date Ticket number Description
01/06/15 ADDON-1083 Support for additional fields of the Change Analysis CIM data model.
12/10/14 ADDON-2230 Support for VPN events.
11/18/14 ADDON-2284 Support for Web events.

Fixed issues

Version 3.2.0 of the Splunk Add-on for Cisco ASA fixed the following issues.

Date Defect number Description
12/09/14 ADDON-1888 Reversed src and dest when direction is outbound.
11/19/14 ADDON-2343 Remove right bracket from acl results.
11/16/14 ADDON-1507 Regex change needed for rule_number field.
11/14/14 ADDON-2155 Field extraction should avoid variable keys wherever possible.
10/16/14 ADDON-2165 Incorrect setting of app field.

Known issues

Version 3.2.0 of the Splunk Add-on for Cisco ASA had the following known issue.

Date Defect number Description
01/23/15 ADDON-3067 Field "action" looked up by cisco_asa_change_analysis_lookup overrides action from cisco_action_lookup.

Third-party software attributions

Version 3.2.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 3.1.0

Version 3.1.0 of the Splunk Add-on for Cisco ASA had the same compatibility specifications as Version 3.2.1.

New features

Version 3.1.0 of the Splunk Add-on for Cisco ASA includes the following new features:

  • Pre-built panels. (ADDON-1638)
  • Support for version 9.2 of ASA (ADDON-1146)

Fixed issues

Version 3.1.0 of the Splunk Add-on for Cisco ASA fixes the following issues:

  • ASA teardown events prevent accurate analysis of network traffic. (ADDON-1258)
  • Typo of aaa_cisco_tunnelgroup for cisco_asa_tunnelgroup in props.conf and mismatch with transforms.conf (ADDON-1498)
  • Field extraction fails for field 'signature_id'. (ADDON-1501)
  • Regex fails to extract the field "acl" for sourcetype="cisco:fwsm" (ADDON-1508) or for sourcetype="cisco:pix". (ADDON-1500).
  • Incorrect regex for field 'icmp_type'. (ADDON-1510)
  • Regex incorrect for the field "group_policy". (ADDON-1512)
  • Non-functional lookup file cisco_vendor_info_lookups.csv. Resolved by implementing same functionality with static fields via EVALs in props.conf. (ADDON-1514)
  • Some REPORT definitions not read into Splunk Enterprise. (ADDON-1515)
  • Transposed mappings to CIM for src and dest related fields. (ADDON-1888)
  • Search fails with fields src_id, fw_user. (ADDON-1976)
  • Incorrect field extraction for icml_type. (ADDON-1978)
  • The fields dest_translated_ip and dest_translated_port not extracted via regex. (ADDON-1979)
  • The assigned_ip field not extracted via regex. (ADDON-1980)
  • The group field not extracted via regex. (ADDON-1981)
  • The dest_domain field not extracted for Cisco ASA version 9.2. (ADDON-2031)

Known issues

Version 3.1.0 of the Splunk Add-on for Cisco ASA has the following known issues:

  • In multi-router installations, two different timestamps appear in Cisco ASA data, and the second one (after the IP address) is the correct one. (ADDON-1543)

Third-party software attributions

Version 3.1.0 of the Splunk Add-on for Cisco ASA did not incorporate any third-party software or libraries.

Version 3.0.1

Version 3.0.1 of the Splunk Add-on for Cisco ASA had the same compatibility specifications as Version 3.2.0.

New features

Version 3.0.1 of the Splunk Add-on for Cisco ASA included the following new features:

  • Vendor Class support (ADDON-1087)
  • VPN data populates in the Network Sessions CIM data model (ADDON-1082)

Fixed issues

Version 3.0.1 of the Splunk Add-on for Cisco ASA fixed the following issues:

  • eventgen host incorrectly set to localhost (ADDON-1105)
  • eventgen sample includes quotes around event (ADDON-1106)
  • add-on does not recognize "session-" in certain log outputs (ADDON-1223)

Known issues

Version 3.0.1 of the Splunk Add-on for Cisco ASA had the following known issues:

  • ASA teardown events prevent accurate analysis of network traffic. (ADDON-1258)
  • Typo of aaa_cisco_tunnelgroup for cisco_asa_tunnelgroup in props.conf and mismatch with transforms.conf (ADDON-1498)
  • Field extraction fails for field 'signature_id'. (ADDON-1501)
  • Regex fails to extract the field "acl" for sourcetype="cisco:fwsm" (ADDON-1508) or for sourcetype="cisco:pix". (ADDON-1500)
  • Incorrect regex for the field "icmp_type". (ADDON-1510)
  • regex incorrect for the field "group_policy" (ADDON-1512)
  • Some REPORT definitions not read into Splunk Enterprise. (ADDON-1515)
  • In multi-router installations, two different timestamps appear in Cisco ASA data, and the second one (after the IP address) is the correct one. (ADDON-1593)
  • Transposed mappings to CIM for src and dest related fields. (ADDON-1888)

Third-party software attributions

Version 3.0.1 of the Splunk Add-on for Cisco ASA did not incorporate any third-party software or libraries.

Last modified on 13 October, 2020
PREVIOUS
Release notes for the Splunk Add-on for Cisco ASA
 

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters