Splunk® Supported Add-ons

Splunk Add-on for Cisco ASA

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Release history for the Splunk Add-on for Cisco ASA

The latest version of the Splunk Add-on for Cisco ASA is version 5.0.0. See Release notes for the Splunk Add-on for Cisco ASA for release notes of this latest version.

Version 4.2.0

Version 4.2.0 of the Splunk Add-on for Cisco ASA was released on December 27, 2021.

Compatibility

Version 4.2.0 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 8.1, 8.2
CIM 4.20.2
Supported OS for data collection OS independent
Vendor products Cisco ASA v9.12, v9.13,v9.16
Supported Cisco ASA event message_ids 106001, 106006, 106007, 106012, 106014, 106015, 106016, 106017, 106020, 106021, 106023, 106100, 106103, 109025, 110002, 110003, 111001, 111004, 111008, 111009, 111010, 113004, 113005, 113008, 113009, 113011, 113012, 113019, 113039, 302010, 302013, 302014, 302015, 302016, 302020, 303002, 304001, 305009, 305010, 305011, 313001, 313004, 313005, 313009, 338301, 338302, 400013, 400032, 405001, 419002, 419003, 500003, 500004, 502101, 502102, 502103, 502111, 502112, 505004, 505009, 505010, 505011, 505012, 505013, 505014, 505015, 505016, 602303, 602304, 605005, 609001, 609002, 611101, 710002, 710003, 710005, 711004, 713041, 713049, 713075, 713119, 713120, 713130, 713166, 713167, 713172, 713184, 713185, 713198, 713199, 713228, 713903, 713905, 713906, 715001, 715009, 715038, 715046, 715065, 715076, 715080, 716001, 716002, 716038, 716039, 716058, 716059, 717009, 717016, 717022, 717024, 717025, 717027, 717028, 717029, 717030, 717036, 717037, 717056, 720041, 722001, 722003, 722010, 722011, 722012, 722022, 722023, 722028, 722029, 722030, 722031, 722032, 722033, 722034, 722037, 722041, 722051, 722055, 725003, 725007, 725008, 725010, 725011, 725014, 725017, 733100, 734001, 737001, 737003, 737006, 737016, 737026, 737034, 737035, 746012, 746013, 746014, 746015, 746016, 751025, 338002

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.


New or changed features

As of version 4.2.0 of the Splunk Add-on for Cisco ASA, the following features were added or changed:

Event type changes

The following event types have been added in version 4.2.0:

  • Change Data model mapping has been added from the event type cisco_asa_alert.
  • Change Data model mapping has been removed from event type cisco_asa_endpoint_processes.
  • Network Session Start and End Data model mapping has been removed from event type cisco_vpn_start and cisco_vpn_end.
  • Audit mapping has been removed from event type cisco_asa_audit_change


message_id changes

For the message_ids, CIM data models/dataset mappings have changed as follows:

message_id Old Data Model/Data Set New Data Model/Data Set
111010,502101,502102,502103,502111,502112,505004,505009,505015 Change:Auditing_Changes Change:All_Changes
113019,716002,602304,722023 Network_Sessions:Session_End Network_Sessions:VPN
722033,113039,602303,716001,722034,722022 Network_Sessions:Session_Start Network_Sessions:VPN

CIM mappings have been modified to map as follows:

Event type Cisco ASA Message ID
cisco_connection 302014,302016
cisco_authentication_privileged 502103
cisco_asa_network_sessions 725003,725007
cisco_asa_audit_change 111010

Field changes

The Splunk Add-on for Cisco ASA 4.2.0 introduces the following field changes.

Message id Source-type Fields added Fields removed
106023 cisco:asa signature_id
106023 cisco:asa rule_name
110003 cisco:asa Communication_protocol
cisco:asa Src
cisco:asa Dest_ip
cisco:asa Signature_id
cisco:asa src_interface
cisco:asa src_ip
cisco:asa est_interface
cisco:asa est
cisco:asa dest_port
cisco:asa protocol
cisco:asa app
cisco:asa src_zone
cisco:asa dest_zone
111010 cisco:asa object_category
302014 cisco:asa src
cisco:asa tag
cisco:asa Cisco_ASA_action
cisco:asa dest_ip
cisco:asa duration
cisco:asa dest
cisco:asa Username
cisco:asa dest_port
cisco:asa protocol
cisco:asa user
cisco:asa Cisco_ASA_vendor_action
cisco:asa tag::eventtype
cisco:asa communication_protocol
cisco:asa duration_hour
cisco:asa vendor_action
cisco:asa transport
cisco:asa src_user
cisco:asa duration_second
cisco:asa src_nt_domain
cisco:asa action
cisco:asa src_port
cisco:asa dest_zone
cisco:asa session_id
cisco:asa reason
cisco:asa protocol_version
cisco:asa src_interface
cisco:asa duration_minute
cisco:asa bytes
cisco:asa Cisco_ASA_user
cisco:asa dest_interface
cisco:asa eventtype
cisco:asa src_zone
cisco:asa src_ip
302015 cisco:asa dest_user
cisco:asa user
cisco:asa Username
cisco:asa Cisco_ASA_user
302016 cisco:asa src
cisco:asa tag
cisco:asa Cisco_ASA_action
cisco:asa dest_ip
cisco:asa duration
cisco:asa dest
cisco:asa Username
cisco:asa dest_port
cisco:asa protocol
cisco:asa app
cisco:asa user
cisco:asa Cisco_ASA_vendor_action
cisco:asa tag::eventtype
cisco:asa communication_protocol
cisco:asa duration_hour
cisco:asa vendor_action
cisco:asa transport
cisco:asa src_user
cisco:asa duration_second
cisco:asa src_nt_domain
cisco:asa action
cisco:asa src_port
302016 cisco:asa dest_zone
cisco:asa session_id
cisco:asa protocol_version
cisco:asa src_interface
cisco:asa duration_minute
cisco:asa bytes
cisco:asa Cisco_ASA_user
cisco:asa dest_interface
cisco:asa eventtype
cisco:asa src_zone
cisco:asa src_ip
303002 cisco:asa app
305012, 305011 cisco:asa src_user
cisco:asa user
cisco:asa Username
cisco:asa Cisco_ASA_user
338301 cisco:asa transport
cisco:asa rule_name
cisco:asa rule
cisco:asa acl
405001 cisco:asa tag
cisco:asa signature_id
cisco:asa app
cisco:asa eventtype
cisco:asa type
cisco:asa tag::eventtype
502101 cisco:asa result
502102 cisco:asa result
502103 cisco:asa result
502111 cisco:asa result
502112 cisco:asa result
505001 cisco:asa result
505002 cisco:asa result
505003 cisco:asa result
505004 cisco:asa result
505005 cisco:asa result
505006 cisco:asa result
505009 cisco:asa object_attrs
cisco:asa result
505015 cisco:asa result
713166, 713167 cisco:asa app
717029 cisco:asa dest
722022 cisco:asa dest_host
cisco:asa dest
cisco:asa src
725003 cisco:asa eventtype
cisco:asa signature
cisco:asa tag
cisco:asa tag::eventtype
725007 cisco:asa eventtype
cisco:asa tag
cisco:asa tag::eventtype

Fixed issues

Version 4.2.0 of the Splunk Add-on for Cisco ASA fixes the following issues:

Known issues

Version 4.2.0 of the Splunk Add-on for Cisco ASA has the following known issues:


Third-party software attributions

Version 4.2.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 4.1.0

Version 4.1.0 of the Splunk Add-on for Cisco ASA was released on October 6, 2020.

Compatibility

Version 4.1.0 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.2, 7.3, 8.0, 8.1
CIM 4.17
Supported OS for data collection OS independent
Vendor products Cisco ASA v9.4, v9.12, v9.13
Supported Cisco ASA event message_ids 106001, 106006, 106007, 106012, 106014, 106015, 106016, 106017, 106020, 106021, 106023, 106100, 106103, 109025, 110002, 111001, 111004, 111008, 111009, 111010, 113004, 113005, 113008, 113009, 113011, 113012, 113019, 113039, 302010, 302013, 302015, 302020, 303002, 304001, 305011, 313001, 313004, 313005, 313009, 338301, 338302, 400013, 400032, 419002, 419003, 500003, 500004, 502101, 502102, 502103, 502111, 502112, 505004, 505009, 505010, 505011, 505012, 505013, 505014, 505015, 505016, 602303, 602304, 605005, 609001, 609002, 611101, 710002, 710003, 710005, 711004, 713041, 713049, 713075, 713119, 713120, 713130, 713166, 713167, 713172, 713184, 713185, 713198, 713199, 713228, 713903, 713905, 713906, 715001, 715009, 715038, 715046, 715065, 715076, 715080, 716001, 716002, 716038, 716039, 716058, 716059, 717009, 717016, 717022, 717024, 717025, 717027, 717028, 717029, 717030, 717036, 717037, 717056, 720041, 722001, 722003, 722010, 722011, 722012, 722022, 722023, 722028, 722029, 722030, 722031, 722032, 722033, 722034, 722037, 722041, 722051, 722055, 725008, 725010, 725011, 725014, 725017, 733100, 734001, 737001, 737003, 737006, 737016, 737026, 737034, 737035, 746012, 746013, 746014, 746015, 746016, 751025, 338002

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.


New or changed features

As of version 4.1.0 of the Splunk Add-on for Cisco ASA, the following features were added or changed:

Event type changes

The following event types have been added in version 4.1.0:

  • Change Data model mapping has been removed from event type cisco_asa_configuration_change.
  • Endpoint Data model mapping has been removed from event type cisco_asa_endpoint_processes and cisco_asa_endpoint_filesystem.
  • Network Resolution (DNS) mapping has been removed from eventtype cisco_asa_network_resolution
  • The event type cisco_asa_audit_change has been added and maps to the Change data model

message_id changes

For the message_ids, CIM data models mappings have changed as follows:

message_id Old Data Model New Data Model
313005 Network Intrusion,

Network Traffic

Network Traffic
302015 Network_Traffic,

Network_Sessions

Network Traffic
109025 Authentication,

Network_Traffic

Network_Traffic

Mappings with CIM data models have been removed for the following message_ids. 113003, 302014, 302016, 302021, 304001, 305012, 305013, 314001, 402119, 405001, 500001, 500002, 504001, 504002, 505001, 505002, 505003, 505005, 505006, 505007, 505008, 507003, 602101, 607001, 608001, 702307, 710006, 713154, 713160, 713162, 713163, 716014, 716015, 716016, 716603, 722053, 725001, 725002, 722036, 725003, 725006, 725007, 725012, 725016, 734003, 751026, 805001, 805002, 805003


CIM mappings have been modified to map as follows:

Event type Cisco ASA Message ID
cisco_vpn_start 113039,716001,722022,602303,722033,722034
cisco_vpn_end 113019, 716002, 722023, 602304
cisco_vpn 722051, 713228
cisco_intrusion 400032, 313005, 106016, 10601
cisco_connection 109025, 302013, 305011, 302015, 106023, 106015, 106012, 106100, 106103, 110002, 302020, 338301, 400013, 710003, 710005, 419002, 106021, 313005, 106001, 313001, 106007, 303002, 710002, 313009, 500003, 106006, 106014, 419003, 106020, 338002, 313004
cisco_authentication_privileged 502103
cisco_authentication 113008, 113012, 113004, 113005, 611101, 605005, 713166, 713167, 713185, 716038, 716039, 713198
cisco_asa_network_sessions 716058, 716059, 722028, 722029, 722030, 722031, 722037, 751025
cisco_asa_network_resolution 713154
cisco_asa_endpoint_processes 111010
cisco_asa_endpoint_filesystem 716015, 716014, 716016
cisco_asa_configuration_change 505001, 505002, 505003, 505004, 505005, 505006, 505007, 505008, 505009, 505015, 113003 and all events having value for change_class
cisco_asa_certificates 717009, 717022, 717027, 717028, 717029, 717037
cisco_asa_audit_change 502102, 502101, 502103, 502111, 111010, 502112, 505015, 505004, 505009

Fixed issues

Version 4.1.0 of the Splunk Add-on for Cisco ASA fixes the following issues:


Date resolved Issue number Description
2020-09-21 ADDON-27927 Cisco ASA TA - cisco_asa_action_lookup.csv actions not consistent with CIM compliancy - network_traffic" DM (action=allowed OR action=blocked)
2020-08-10 ADDON-27928 Cisco ASA TA - new Regex doesn't pick up spaces

Known issues

Version 4.1.0 of the Splunk Add-on for Cisco ASA has the following known issues:


Third-party software attributions

Version 4.1.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.


Cisco ASA Version 4.0.2

Version 4.0.2 of the Splunk Add-on for Cisco ASA was released on June 24, 2020.

Compatibility

Version 4.0.2 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.2, 7.3, 8.0
CIM 4.15
Supported OS for data collection OS independent
Vendor products Cisco ASA v9.4, v9.12, v9.13
Supported Cisco ASA event message_ids 106001, 106006, 106007, 106012, 106014, 106015, 106016, 106017, 106020, 106021, 106023, 106100, 106103, 109025, 110002, 111001, 111004, 111008, 111009, 111010, 113003, 113004, 113005, 113008, 113009, 113011, 113012, 113019, 113039, 302010, 302013, 302014, 302015, 302016, 302020, 302021, 303002, 304001, 305011, 305012, 305013, 313001, 313004, 313005, 313009, 314001, 338301, 338302, 400013, 400032, 402119, 405001, 419002, 419003, 500001, 500002, 500003, 500004, 502101, 502102, 502103, 502111, 502112, 504001, 504002, 505001, 505002, 505003, 505004, 505005, 505006, 505007, 505008, 505009, 505010, 505011, 505012, 505013, 505014, 505015, 505016, 507003, 602101, 602303, 602304, 605005, 607001, 608001, 609001, 609002, 611101, 702307, 710002, 710003, 710005, 710006, 711004, 713041, 713049, 713075, 713119, 713120, 713130, 713154, 713160, 713162, 713163, 713166, 713167, 713172, 713184, 713185, 713198, 713199, 713228, 713903, 713905, 713906, 715001, 715009, 715038, 715046, 715065, 715076, 715080, 716001, 716002, 716014, 716015, 716016, 716038, 716039, 716058, 716059, 716603, 717009, 717016, 717022, 717024, 717025, 717027, 717028, 717029, 717030, 717036, 717037, 717056, 720041, 722001, 722003, 722010, 722011, 722012, 722022, 722023, 722028, 722029, 722030, 722031, 722032, 722033, 722034, 722036, 722037, 722041, 722051, 722053, 722055, 725001, 725002, 725003, 725006, 725007, 725008, 725010, 725011, 725012, 725014, 725016, 725017, 733100, 734001, 734003, 737001, 737003, 737006, 737016, 737026, 737034, 737035, 746012, 746013, 746014, 746015, 746016, 751025, 751026, 805001, 805002, 805003, 338002

Note: As of version 4.0.0 of the Splunk Add-on for Cisco ASA, Splunk does not support PIX and FWSM source types. To support this transition, version 3.4.0 will remain available for 90 days after the release of 4.0.0.

New or changed features

As of version 4.0.2 of the Splunk Add-on for Cisco ASA, the following features were added or changed:

Event type changes

The following event types have been added in version 4.0.2:

  • cisco_asa_vpn
  • cisco_asa_vpn_start
  • cisco_asa_vpn_end


The event type cisco_asa_change is now named cisco_asa_configuration_change

message_id changes

For the message_ids, CIM data models mappings have changed as follows:

message_id Old Data Model New Data Model
113004 Network Sessions Authentication
313004 Network Sessions Network Traffic
602303 Network Traffic Network Sessions
602304 Network Traffic Network Sessions
713228 Change Network Sessions
716038 Network Sessions, Authentication Authentication
716039 Network Sessions, Authentication Authentication

Mapping with CIM data models has been removed for the following message_ids.

713121, 713236, 714002, 714004, 714006, 714011, 715006, 715007, 715047, 715048, 715049, 715077, 771002

Fixed issues

Version 4.0.2 of the Splunk Add-on for Cisco ASA fixes the following issues:


Date resolved Issue number Description
2020-06-22 ADDON-26648 Cisco ASA: Issue with CIM mapping of Message ID - 113004
2020-06-22 ADDON-26852 Splunk Add-on for Cisco ASA missing eventtypes after upgrade to 4.0.1

Known issues

Version 4.0.2 of the Splunk Add-on for Cisco ASA has the following known issues:

Date filed Issue number Description
2020-07-24 ADDON-27927 Cisco ASA TA - cisco_asa_action_lookup.csv actions not consistent with CIM compliancy - network_traffic" DM (action=allowed OR action=blocked)

Workaround:
We have changed the lookup on the right actions in order to fix that.

sed -e 's/built,,built/built,,allowed/g' opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/lookups/cisco_asa_action_lookup.csv sed -e 's/permitted,,permitted/permitted,,allowed/g' opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/lookups/cisco_asa_action_lookup.csv sed -e 's/denied,,denied/denied,,blocked/g' opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/lookups/cisco_asa_action_lookup.csv sed -e 's/deny,,deny/deny,,blocked/g' opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/lookups/cisco_asa_action_lookup.csv

2020-07-24 ADDON-27928 Cisco ASA TA - new Regex doesn't pick up spaces

Workaround:
The workaround for me is to delete the \s in the group capturing of the Group field.

We have identify of lot of regex where it can happen and do those steps to workaround :

mkdir -p /opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/local/

  1. Taking all the "bad" regex with a group capturing the Group field

grep -C 1 "<Group>[^*\s]" /opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/default/transforms.conf > /opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/local/transforms0.conf

  1. Cleaning

sed 's/--//g' /opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/local/transforms0.conf > /opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/local/transforms1.conf

  1. Removing the "\s"

sed 's/<Group>\[^\\>\\s/<Group>\[^\\>/g' /opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/local/transforms1.conf > /opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/local/transforms.conf

  1. Cleaning

rm -rf transforms0.conf transforms1.conf

Maybe our network admins have not done things properly when they created those firewall groups with spaces but it's a reality in our context and we can't do anything about it

Third-party software attributions

Version 4.0.2 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 4.0.1

Version 4.0.1 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.2, 7.3, 8.0
CIM 4.15
Supported OS for data collection OS independent
Vendor products Cisco ASA v9.4, v9.12, v9.13
Supported Cisco ASA event message_ids 106001, 106006, 106007, 106012, 106014, 106015, 106016, 106017, 106020, 106021, 106023, 106100, 106103, 109025, 110002, 111001, 111004, 111008, 111009, 111010, 113003, 113004, 113005, 113008, 113009, 113011, 113012, 113019, 113039, 302010, 302013, 302014, 302015, 302016, 302020, 302021, 303002, 304001, 305011, 305012, 305013, 313001, 313004, 313005, 313009, 314001, 338301, 338302, 400013, 400032, 402119, 405001, 419002, 419003, 500001, 500002, 500003, 500004, 502101, 502102, 502103, 502111, 502112, 504001, 504002, 505001, 505002, 505003, 505004, 505005, 505006, 505007, 505008, 505009, 505010, 505011, 505012, 505013, 505014, 505015, 505016, 507003, 602101, 602303, 602304, 605005, 607001, 608001, 609001, 609002, 611101, 702307, 710002, 710003, 710005, 710006, 711004, 713041, 713049, 713075, 713119, 713120, 713121, 713130, 713154, 713160, 713162, 713163, 713166, 713167, 713172, 713184, 713185, 713198, 713199, 713228, 713236, 713903, 713905, 713906, 714002, 714004, 714006, 714011, 715001, 715006, 715007, 715009, 715038, 715046, 715047, 715048, 715049, 715065, 715076, 715077, 715080, 716001, 716002, 716014, 716015, 716016, 716038, 716039, 716058, 716059, 716603, 717009, 717016, 717022, 717024, 717025, 717027, 717028, 717029, 717030, 717036, 717037, 717056, 720041, 722001, 722003, 722010, 722011, 722012, 722022, 722023, 722028, 722029, 722030, 722031, 722032, 722033, 722034, 722036, 722037, 722041, 722051, 722053, 722055, 725001, 725002, 725003, 725006, 725007, 725008, 725010, 725011, 725012, 725014, 725016, 725017, 733100, 734001, 734003, 737001, 737003, 737006, 737016, 737026, 737034, 737035, 746012, 746013, 746014, 746015, 746016, 751025, 751026, 771002, 805001, 805002, 805003, 338002

Note: As of version 4.0.0 of the Splunk Add-on for Cisco ASA, Splunk does not support PIX and FWSM source types. To support this transition, version 3.4.0 will remain available for 90 days after the release of 4.0.0.


Version 4.0.0

Version 4.0.0 of the Splunk Add-on for Cisco ASA was released on April 21, 2020.

Compatibility

Version 4.0.0 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.2, 7.3, 8.0
CIM 4.15
Supported OS for data collection OS independent
Vendor products Cisco ASA v9.4, v9.12, v9.13
Supported Cisco ASA event message_ids 106001, 106006, 106007, 106012, 106014, 106015, 106016, 106017, 106020, 106021, 106023, 106100, 106103, 109025, 110002, 111001, 111004, 111008, 111009, 111010, 113003, 113004, 113005, 113008, 113009, 113011, 113012, 113019, 113039, 302010, 302013, 302014, 302015, 302016, 302020, 302021, 303002, 304001, 305011, 305012, 305013, 313001, 313004, 313005, 313009, 314001, 338301, 338302, 400013, 400032, 402119, 405001, 419002, 419003, 500001, 500002, 500003, 500004, 502101, 502102, 502103, 502111, 502112, 504001, 504002, 505001, 505002, 505003, 505004, 505005, 505006, 505007, 505008, 505009, 505010, 505011, 505012, 505013, 505014, 505015, 505016, 507003, 602101, 602303, 602304, 605005, 607001, 608001, 609001, 609002, 611101, 702307, 710002, 710003, 710005, 710006, 711004, 713041, 713049, 713075, 713119, 713120, 713121, 713130, 713154, 713160, 713162, 713163, 713166, 713167, 713172, 713184, 713185, 713198, 713199, 713228, 713236, 713903, 713905, 713906, 714002, 714004, 714006, 714011, 715001, 715006, 715007, 715009, 715038, 715046, 715047, 715048, 715049, 715065, 715076, 715077, 715080, 716001, 716002, 716014, 716015, 716016, 716038, 716039, 716058, 716059, 716603, 717009, 717016, 717022, 717024, 717025, 717027, 717028, 717029, 717030, 717036, 717037, 717056, 720041, 722001, 722003, 722010, 722011, 722012, 722022, 722023, 722028, 722029, 722030, 722031, 722032, 722033, 722034, 722036, 722037, 722041, 722051, 722053, 722055, 725001, 725002, 725003, 725006, 725007, 725008, 725010, 725011, 725012, 725014, 725016, 725017, 733100, 734001, 734003, 737001, 737003, 737006, 737016, 737026, 737034, 737035, 746012, 746013, 746014, 746015, 746016, 751025, 751026, 771002, 805001, 805002, 805003, 338002

Note: As of version 4.0.0 of the Splunk Add-on for Cisco ASA, Splunk does not support PIX and FWSM source types. To support this transition, version 3.4.0 will remain available for 90 days after the release of 4.0.0.

New or changed features

Version 4.0.0 of the Splunk Add-on for Cisco ASA has the following new or changed features:

  • Added segmenters.conf to let you filter timestamps from being added to the lexicon
  • Deprecated support for PIX and FWSM sourcetype and Malware datamodel
  • CIM v4.15 compatibility
  • Field extractions for supported Event IDs

Fixed issues

Version 4.0.0 of the Splunk Add-on for Cisco ASA fixes the following issues:


Date resolved Issue number Description
2020-04-06 ADDON-12426 Transposed directions not showing correctly

Known issues

Version 4.0.0 of the Splunk Add-on for Cisco ASA has the following known issues:

Date filed Issue number Description
2020-05-12 ADDON-26529 segmenters.conf making sourcetype=cisco:asa events not searchable by term when event doesn't match the FILTER = <regular expression>, because the segmentation will be turned off completely for those events

Workaround:
create props.conf in $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local

with the following stanza, rolling it back to system/default settings: [cisco:asa] SEGMENTATION = indexing

For affected data ingested, for example searching for an ip won't return results as expected: | search sourcetype=cisco:asa src=1.2.3.4 but searching for it with where or regex does: | search sourcetype=cisco:asa | where (src LIKE "1.2.3.4") | search sourcetype=cisco:asa | regex src="1\.2\.3\.4"

2020-05-08 ADDON-26486 Field Extractiion for IP should point to src_ip

Workaround:
[cisco_asa_message_id_113039]

REGEX = -113039:\s*Group\s*<?(?<Group>[^>\s]+)>?\s*User\s*<?(?<user>[^>\s]+)>?\s*IP\s*<?(?<dest_ip>[^\>,\s]+)>?

Change dest_ip by src_ip

[cisco_asa_message_id_113039] REGEX = -113039:\s*Group\s*<?(?<Group>[^>\s]+)>?\s*User\s*<?(?<user>[^>\s]+)>?\s*IP\s*<?(?<src_ip>[^\>,\s]+)>?

Third-party software attributions

Version 4.0.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.


Version 3.4.0

Version 3.4.0 of the Splunk Add-on for Cisco ASA was released on April 17, 2019.

Compatibility

Version 3.4.0 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM 4.x
Supported OS for data collection OS independent
Vendor products Cisco FWSM 3.x and 4.x, Cisco PIX 5.x and later

New or changed features

Version 3.4.0 of the Splunk Add-on for Cisco ASA has the following new or changed features:

  • Improved load balancing on the universal forwarder
  • IPV6 extractions are disabled by default

Fixed issues

Version 3.4.0 of the Splunk Add-on for Cisco ASA fixes the following issues:


Date resolved Issue number Description
2019-03-11 ADDON-16265 Incorrect transform for user field in ta-cisco-asa
2019-03-11 ADDON-21370 Values not extracted for 'command' field in certain events under sourcetype=cisco:asa

Known issues

Version 3.4.0 of the Splunk Add-on for Cisco ASA has the following known issues:

Date filed Issue number Description
2019-03-25 ADDON-21891 FIELDALIAS behavior is different for Splunk v7.2.0+ as mentioned in SPL-164505

Workaround:
Comment below in ~etc/apps/Splunk_TA_cisco-asa/default/props.conf:

FIELDALIAS-fwsm_acl_for_rule = acl as rule (in cisco:fwsm stanza)

FIELDALIAS-cisco_asa_tunnelgroup = tunnelgroup as group (in cisco:asa stanza)

 

Add below in ~etc/apps/Splunk_TA_cisco-asa/local/props.conf:

EVAL-rule=coalesce(acl, rule) (in cisco:fwsm stanza)

EVAL-group=coalesce(tunnelgroup, group)  (in cisco:asa stanza)

 

2016-11-29 ADDON-12426 Transposed directions not showing correctly

Workaround:
Add/modify below stanza in ~etc/apps/Splunk_TA_cisco-asa/local/transforms.conf:

[reverse_src_dest_for_outbound]

REGEX = (?:[Oo]utbound|[tT]eardown)\s+\S+\s+connection\s+\d+\s+for\s+(\S+)\s*:\s*([^\s\/\(]+)(?:\/(\w+))?(?:\((\S+)\))?\s*\(?([^\s\/\(]+)?\/?(\d+)?\)?\s+to\s+([^: ]+)\s*:\s*([^\s\/\(]+)(?:\/(\w+))?(?:\((\S+)\))?\s*\(?([^\s\/\(]+)?\/?(\d+)?\)? FORMAT = dest_zone::$1 dest_ip::$2 dest_port::$3 dest_user::$4 dest_translated_ip::$5 dest_translated_port::$6 src_zone::$7 src_ip::$8 src_port::$9 src_user::$10 src_translated_ip::$11 src_translated_port::$12

Third-party software attributions

Version 3.4.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.


=Version 3.3.0

Version 3.3.0 of the Splunk Add-on for Cisco ASA was released on October 12, 2017. Version 3.3.0 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.5.x, 6.6.x, 7.0.x, 7.1.x, 7.2.x
CIM 4.11
Platforms Platform independent
Vendor Products Cisco ASA 5500 series, Cisco FWSM 3.x and 4.x, Cisco PIX 5.x and above

Fixed issues

Version 3.3.0 of the Splunk Add-on for Cisco ASA fixes the following issues.


Date resolved Issue number Description
2017-09-26 ADDON-15550 Transform.conf file convert unnecessary regex capturing groups to non capturing groups
2017-09-06 ADDON-15551 lookups/cisco_asa_vendor_class_lookup.csv has invalid entries for message ids 107*, 312*, 333* and 334*
2017-08-03 ADDON-14914 Cisco ASA TA does not specify TIME_FORMAT in props.conf for cisco:asa, cisco:fwsm and cisco:pix
2017-02-01 ADDON-13459, ADDON-13245 src_ip and src_port fields for not extracted for cisco_source_ipv4
2016-11-30 ADDON-12469, ADDON-11294 Improper tag assigned to NAT Events for eventtype cisco_connection

Known issues

Version 3.3.0 of the Splunk Add-on for Cisco ASA has the following known issues.


Date filed Issue number Description
2019-02-21 ADDON-21370 Values not extracted for 'command' field in certain events under sourcetype=cisco:asa
2018-06-12 ADDON-18377 Reversing src and dest in the ICMP related logs Splunk Add-On for Cisco ASA
2017-11-29 ADDON-16265 Incorrect transform for user field in ta-cisco-asa
2016-11-29 ADDON-12426 Transposed directions not showing correctly

Workaround:
Add/modify below stanza in ~etc/apps/Splunk_TA_cisco-asa/local/transforms.conf:

[reverse_src_dest_for_outbound]

REGEX = (?:[Oo]utbound|[tT]eardown)\s+\S+\s+connection\s+\d+\s+for\s+(\S+)\s*:\s*([^\s\/\(]+)(?:\/(\w+))?(?:\((\S+)\))?\s*\(?([^\s\/\(]+)?\/?(\d+)?\)?\s+to\s+([^: ]+)\s*:\s*([^\s\/\(]+)(?:\/(\w+))?(?:\((\S+)\))?\s*\(?([^\s\/\(]+)?\/?(\d+)?\)? FORMAT = dest_zone::$1 dest_ip::$2 dest_port::$3 dest_user::$4 dest_translated_ip::$5 dest_translated_port::$6 src_zone::$7 src_ip::$8 src_port::$9 src_user::$10 src_translated_ip::$11 src_translated_port::$12

Third-party software attributions

Version 3.3.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 3.2.6

Version 3.2.6 of the Splunk Add-on for Cisco ASA was released on July 18, 2016. Version 3.2.6 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 5.0 and later
CIM 3.0 and later
Platforms Platform independent
Vendor Products Cisco ASA 5500 series, Cisco FWSM 3.x and 4.x, Cisco PIX 5.x and above

Fixed issues

Version 3.2.6 of the Splunk Add-on for Cisco ASA fixes the following issues.

Date Defect number Description
2016-06-22 ADDON-9015 The user information cannot be extracted for some events.
2016-06-21 ADDON-9461 The default tag is incorrectly applied to all events of the cisco_authentication event type.
2016-06-17 ADDON-8738 The byte and transport fields are not properly normalized or calculated for CIM compliance.
2016-06-17 ADDON-10246 The user and domain/group fields are not extracted properly for some events.

Known issues

Version 3.2.6 of the Splunk Add-on for Cisco ASA contains no known issues.

Third-party software attributions

Version 3.2.6 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.


Version 3.2.5

Version 3.2.5 of the Splunk Add-on for Cisco ASA was released on April 1, 2016. Version 3.2.5 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 5.0 and above
CIM 3.0 and above
Platforms Platform independent
Vendor Products Cisco ASA 5500 series, Cisco FWSM 3.x and 4.x, Cisco PIX 5.x and above

Fixed issues

Version 3.2.5 of the Splunk Add-on for Cisco ASA fixes the following issues.

Resolved Date Defect number Description
2016-03-11 ADDON-7065 Performance issues in Splunk Enterprise Security related to tag expansions.
2016-03-14 ADDON-8256 Source/Destination IP addresses not being extracted properly.
2016-03-10 ADDON-7759 Remove legacy eventgen support.

Known issues

Version 3.2.5 of the Splunk Add-on for Cisco ASA has the following known issues.

Date Defect number Description
2014-12-17 ADDON-2728 Add-on does not support IPv6.

Third-party software attributions

Version 3.2.5 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 3.2.4

Version 3.2.4 of the Splunk Add-on for Cisco ASA has the same compatibility specifications as version 3.2.5.

Fixed issues

Version 3.2.4 of the Splunk Add-on for Cisco ASA fixes the following issues.

Resolved Date Defect number Description
2015-09-28 ADDON-5743 Add-on stores the signature_id number of Cisco ASA message in message_id field instead of signature_id.
2015-09-18 ADDON-5655 src and dest extractions fail when interface name contains a colon.
2015-09-17 ADDON-5613 The add-on defines event types as cisco:* which impacts other Cisco technologies that this add-on does not cover.
2015-09-15 ADDON-5257 Zone information does not go to standardized field names.
2015-09-09 ADDON-5304 VPN events do not have network tag.
2015-07-21 ADDON-4457 Regex to extract dest ip fails if there is a . in the interface name.

Known issues

Version 3.2.4 of the Splunk Add-on for Cisco ASA has the following known issues.

Date Defect number Description
2014-12-17 ADDON-2728 Add-on does not support IPv6.

Third-party software attributions

Version 3.2.4 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 3.2.3

Version 3.2.3 of the Splunk Add-on for Cisco ASA has the same compatibility specifications as version 3.2.4.

Fixed issues

Version 3.2.3 of the Splunk Add-on for Cisco ASA fixes the following issues.

Date Defect number Description
06/17/15 ADDON-4229 Duplicated values in lookup cisco_asa_severity_lookup.csv result in duplicated values in severity field.
06/17/15 ADDON-4021 Source types are not backwards compatible with old versions of the add-on that used "cisco_asa" or "cisco-asa".
06/16/14 ADDON-1107 Bug in eventgen rule_number field.
06/15/15 ADDON-4225 Field Alias src is used for both src_ip and src_ipv6.
06/09/15 ADDON-3916 Extraction for field user fails for certain actions.

Known issues

Version 3.2.3 of the Splunk Add-on for Cisco ASA has the following known issues.

Date Defect number Description
2015-09-23 ADDON-5743 Add-on stores the signature_id number of Cisco ASA message in message_id field instead of signature_id.
2015-09-17 ADDON-5655 src and dest extractions fail when interface name contains a colon.
2015-09-17 ADDON-5613 The add-on defines event types as cisco:* which impacts other Cisco technologies that this add-on does not cover.
2015-09-01 ADDON-5304 VPN events do not have network tag.
2015-08-31 ADDON-5257 Zone information does not go to standardized field names.
2015-07-03 ADDON-4457 Regex to extract dest ip fails if there is a . in the interface name.
2014-12-17 ADDON-2728 Add-on does not support IPv6.

Third-party software attributions

Version 3.2.3 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 3.2.2

Version 3.2.2 of the Splunk Add-on for Cisco ASA has the same compatibility specifications as version 3.2.3.

Fixed issues

Version 3.2.2 of the Splunk Add-on for Cisco ASA fixes the following issues.

Date Defect number Description
04/13/15 ADDON-3649 XML file names do not match pre-built panel titles.
04/10/15 ADDON-3357 Duration field extraction too narrow.
03/16/15 ADDON-3327 Typo in eventtypes.conf causes searches to fail.
03/11/15 ADDON-3357 Transposed src and dest directions.

Known issues

Version 3.2.2 of the Splunk Add-on for Cisco ASA has the following known issues.

Date Defect number Description
05/18/15 ADDON-4021 Source types are not backwards compatible with old versions of the add-on that used "cisco_asa" or "cisco-asa".
05/04/15 ADDON-3916 Extraction of "user" field fails.
12/17/14 ADDON-2728 Add-on does not support IPv6.
01/31/14 ADDON-1107 Bug in eventgen rule_number field.

Third-party software attributions

Version 3.2.2 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 3.2.1

Version 3.2.0 of the Splunk Add-on for Cisco ASA had the same compatibility specifications as Version 3.2.2.

Fixed issues

Version 3.2.1 of the Splunk Add-on for Cisco ASA fixed the following issues.

Date Defect number Description
02/04/15 ADDON-3067 Field "action" looked up by cisco_asa_change_analysis_lookup overrides action from cisco_action_lookup.
02/04/15 ADDON-3142 Field "action" contains some duplicated values.

Known issues

Version 3.2.1 of the Splunk Add-on for Cisco ASA had no reported known issues.

Third-party software attributions

Version 3.2.1 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 3.2.0

Version 3.2.0 of the Splunk Add-on for Cisco ASA had the same compatibility specifications as Version 3.2.2.

New features

Version 3.2.0 of the Splunk Add-on for Cisco ASA included the following new features.

Date Ticket number Description
01/06/15 ADDON-1083 Support for additional fields of the Change Analysis CIM data model.
12/10/14 ADDON-2230 Support for VPN events.
11/18/14 ADDON-2284 Support for Web events.

Fixed issues

Version 3.2.0 of the Splunk Add-on for Cisco ASA fixed the following issues.

Date Defect number Description
12/09/14 ADDON-1888 Reversed src and dest when direction is outbound.
11/19/14 ADDON-2343 Remove right bracket from acl results.
11/16/14 ADDON-1507 Regex change needed for rule_number field.
11/14/14 ADDON-2155 Field extraction should avoid variable keys wherever possible.
10/16/14 ADDON-2165 Incorrect setting of app field.

Known issues

Version 3.2.0 of the Splunk Add-on for Cisco ASA had the following known issue.

Date Defect number Description
01/23/15 ADDON-3067 Field "action" looked up by cisco_asa_change_analysis_lookup overrides action from cisco_action_lookup.

Third-party software attributions

Version 3.2.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 3.1.0

Version 3.1.0 of the Splunk Add-on for Cisco ASA had the same compatibility specifications as Version 3.2.1.

New features

Version 3.1.0 of the Splunk Add-on for Cisco ASA includes the following new features:

  • Pre-built panels. (ADDON-1638)
  • Support for version 9.2 of ASA (ADDON-1146)

Fixed issues

Version 3.1.0 of the Splunk Add-on for Cisco ASA fixes the following issues:

  • ASA teardown events prevent accurate analysis of network traffic. (ADDON-1258)
  • Typo of aaa_cisco_tunnelgroup for cisco_asa_tunnelgroup in props.conf and mismatch with transforms.conf (ADDON-1498)
  • Field extraction fails for field 'signature_id'. (ADDON-1501)
  • Regex fails to extract the field "acl" for sourcetype="cisco:fwsm" (ADDON-1508) or for sourcetype="cisco:pix". (ADDON-1500).
  • Incorrect regex for field 'icmp_type'. (ADDON-1510)
  • Regex incorrect for the field "group_policy". (ADDON-1512)
  • Non-functional lookup file cisco_vendor_info_lookups.csv. Resolved by implementing same functionality with static fields via EVALs in props.conf. (ADDON-1514)
  • Some REPORT definitions not read into Splunk Enterprise. (ADDON-1515)
  • Transposed mappings to CIM for src and dest related fields. (ADDON-1888)
  • Search fails with fields src_id, fw_user. (ADDON-1976)
  • Incorrect field extraction for icml_type. (ADDON-1978)
  • The fields dest_translated_ip and dest_translated_port not extracted via regex. (ADDON-1979)
  • The assigned_ip field not extracted via regex. (ADDON-1980)
  • The group field not extracted via regex. (ADDON-1981)
  • The dest_domain field not extracted for Cisco ASA version 9.2. (ADDON-2031)

Known issues

Version 3.1.0 of the Splunk Add-on for Cisco ASA has the following known issues:

  • In multi-router installations, two different timestamps appear in Cisco ASA data, and the second one (after the IP address) is the correct one. (ADDON-1543)

Third-party software attributions

Version 3.1.0 of the Splunk Add-on for Cisco ASA did not incorporate any third-party software or libraries.

Version 3.0.1

Version 3.0.1 of the Splunk Add-on for Cisco ASA had the same compatibility specifications as Version 3.2.0.

New features

Version 3.0.1 of the Splunk Add-on for Cisco ASA included the following new features:

  • Vendor Class support (ADDON-1087)
  • VPN data populates in the Network Sessions CIM data model (ADDON-1082)

Fixed issues

Version 3.0.1 of the Splunk Add-on for Cisco ASA fixed the following issues:

  • eventgen host incorrectly set to localhost (ADDON-1105)
  • eventgen sample includes quotes around event (ADDON-1106)
  • add-on does not recognize "session-" in certain log outputs (ADDON-1223)

Known issues

Version 3.0.1 of the Splunk Add-on for Cisco ASA had the following known issues:

  • ASA teardown events prevent accurate analysis of network traffic. (ADDON-1258)
  • Typo of aaa_cisco_tunnelgroup for cisco_asa_tunnelgroup in props.conf and mismatch with transforms.conf (ADDON-1498)
  • Field extraction fails for field 'signature_id'. (ADDON-1501)
  • Regex fails to extract the field "acl" for sourcetype="cisco:fwsm" (ADDON-1508) or for sourcetype="cisco:pix". (ADDON-1500)
  • Incorrect regex for the field "icmp_type". (ADDON-1510)
  • regex incorrect for the field "group_policy" (ADDON-1512)
  • Some REPORT definitions not read into Splunk Enterprise. (ADDON-1515)
  • In multi-router installations, two different timestamps appear in Cisco ASA data, and the second one (after the IP address) is the correct one. (ADDON-1593)
  • Transposed mappings to CIM for src and dest related fields. (ADDON-1888)

Third-party software attributions

Version 3.0.1 of the Splunk Add-on for Cisco ASA did not incorporate any third-party software or libraries.

Last modified on 05 May, 2022
PREVIOUS
Release notes for the Splunk Add-on for Cisco ASA
 

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters