Release history for the Splunk Add-on for Cisco ASA
The latest version of the Splunk Add-on for Cisco ASA is version 5.2.0. See Release notes for the Splunk Add-on for Cisco ASA for release notes of this latest version.
Version 5.1.0
Version 5.1.0 of the Splunk Add-on for Cisco ASA was released on July 14, 2022.
Compatibility
Version 5.1.0 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.
Splunk platform versions | 8.1, 8.2 |
CIM | 4.20.2 |
Supported OS for data collection | OS independent |
Vendor products | Cisco ASA v9.12, v9.13,v9.16 |
Supported Cisco ASA event message_ids | 106001, 106006, 106007, 106012, 106014, 106015, 106016, 106017, 106020, 106021, 106023, 106100, 106103, 109025, 110002, 110003, 111001, 111004, 111008, 111009, 111010, 113004, 113005, 113008, 113009, 113011, 113012, 113019, 113039, 302010, 302013, 302014, 302015, 302016, 302020, 302021, 303002, 304001, 305009, 305010, 305011, 305012, 305013, 313001, 313004, 313005, 313009, 338002, 338301, 338302, 400013, 400032, 405001, 419002, 419003, 500003, 500004, 502101, 502102, 502103, 502111, 502112, 505004, 505009, 505010, 505011, 505012, 505013, 505014, 505015, 505016, 602303, 602304, 605005, 609001, 609002, 611101, 710002, 710003, 710005, 711004, 713041, 713049, 713075, 713119, 713120, 713130, 713166, 713167, 713172, 713184, 713185, 713198, 713199, 713228, 713903, 713905, 713906, 715001, 715009, 715038, 715046, 715065, 715076, 715080, 716001, 716002, 716038, 716039, 716058, 716059, 717009, 717016, 717022, 717024, 717025, 717027, 717028, 717029, 717030, 717036, 717037, 717056, 720041, 722001, 722003, 722010, 722011, 722012, 722022, 722023, 722028, 722029, 722030, 722031, 722032, 722033, 722034, 722037, 722041, 722051, 722055, 725003, 725007, 725008, 725010, 725011, 725014, 725017, 733100, 734001, 737001, 737003, 737006, 737016, 737026, 737034, 737035, 746012, 746013, 746014, 746015, 746016, 751025, 771002 |
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New or changed features
The Splunk Add-on for Cisco ASA 5.1.0 introduces the following field changes.
Source-type | message_id, sourcetype | Fields added | Fields removed |
---|---|---|---|
['cisco:asa']
|
602303, 717022, 109031, 106007, 611101, 717027, 113004, 722022, 313001, 505009, 710003, 722028, 113012, 400032, 302014, 722031, 716047, 713185, 302020, 313005, 106014, 302015, 502102, 110003, 716059, 716039, 106017, 717029, 111010, 109025, 303002, 313009, 305011, 772003, 502111, 722051, 106023, 722030, 500003, 106006, 716002, 502112, 106015, 716001, 772002, 505004, 722029, 716058, 106021, 110002, 505015, 400013, 106100, 717028, 722033, 106016, 717009, 722023, 751025, 419003, 605005, 713198, 713228, 302013, 405001, 502103, 338002, 710002, 725003, 113008, 419002, 710005, 725007, 722037, 713167, 106020, 106012, 502101, 113019, 716038, 722034, 717037, 106103, 713166, 313004, 602304, 113005, 605004, 106001, 338301, 113039cisco:asa | ||
['cisco:asa']
|
111001cisco:asa | status, change_type, action, tag::eventtype, change_description, command, eventtype, result, object, dest, object_type, tag, object_id, object_category, Cisco_ASA_action | device, src_host |
['cisco:asa']
|
111004cisco:asa | status, action, tag::eventtype, command, eventtype, result, object, dest, tag, object_category, Cisco_ASA_action | src_host |
['cisco:asa']
|
111009cisco:asa | status, change_type, tag::eventtype, change_description, eventtype, result, object, dest, object_type, tag, object_category | Cisco_ASA_vendor_action, vendor_action |
['cisco:asa']
|
113021cisco:asa | ||
['cisco:asa']
|
302021, 305012, 305013cisco:asa | tag, eventtype, tag::eventtype | |
['cisco:asa']
|
609002, 609001cisco:asa | zone, src_ip, tag::eventtype, eventtype, dest, tag, communication_protocol, dest_ip | IP, zone_name, ip_address |
['cisco:asa']
|
771002cisco:asa | status, change_type, action, tag::eventtype, change_description, command, object_attrs, result, eventtype, object, dest, object_type, tag, object_id, object_category, Cisco_ASA_action | after_time, src_ip, before_time |
['cisco:asa']
|
772004cisco:asa |
Fixed issues
Version 5.1.0 of the Splunk Add-on for Cisco ASA fixes the following issues:
Known issues
Version 5.1.0 of the Splunk Add-on for Cisco ASA has the following known issues:
Third-party software attributions
Version 5.1.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.
Version 5.0.0
Version 5.0.0 of the Splunk Add-on for Cisco ASA was released on April 29, 2022.
Compatibility
Version 5.0.0 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.
Splunk platform versions | 8.1, 8.2 |
CIM | 4.20.2 |
Supported OS for data collection | OS independent |
Vendor products | Cisco ASA v9.12, v9.13,v9.16 |
Supported Cisco ASA event message_ids | 106001, 106006, 106007, 106012, 106014, 106015, 106016, 106017, 106020, 106021, 106023, 106100, 106103, 109025, 110002, 110003, 111001, 111004, 111008, 111009, 111010, 113004, 113005, 113008, 113009, 113011, 113012, 113019, 113039, 302010, 302013, 302014, 302015, 302016, 302020, 303002, 304001, 305009, 305010, 305011, 313001, 313004, 313005, 313009, 338301, 338302, 400013, 400032, 405001, 419002, 419003, 500003, 500004, 502101, 502102, 502103, 502111, 502112, 505004, 505009, 505010, 505011, 505012, 505013, 505014, 505015, 505016, 602303, 602304, 605005, 609001, 609002, 611101, 710002, 710003, 710005, 711004, 713041, 713049, 713075, 713119, 713120, 713130, 713166, 713167, 713172, 713184, 713185, 713198, 713199, 713228, 713903, 713905, 713906, 715001, 715009, 715038, 715046, 715065, 715076, 715080, 716001, 716002, 716038, 716039, 716058, 716059, 717009, 717016, 717022, 717024, 717025, 717027, 717028, 717029, 717030, 717036, 717037, 717056, 720041, 722001, 722003, 722010, 722011, 722012, 722022, 722023, 722028, 722029, 722030, 722031, 722032, 722033, 722034, 722037, 722041, 722051, 722055, 725003, 725007, 725008, 725010, 725011, 725014, 725017, 733100, 734001, 737001, 737003, 737006, 737016, 737026, 737034, 737035, 746012, 746013, 746014, 746015, 746016, 751025, 338002, 111008, 111010, 302013, 302020, 302021, 609001, 609002 |
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New or changed features
Version 5.0.0 supports IPv6 Events. In case Cisco ASA and Splunk connected to each other using IPv6 address, you must enable Splunk to receive events sourced from IPv6 peer. To configure Splunk Enterprise to listen on an IPv6 network see https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/ConfigureSplunkforIPv6 Show less
Event type changes
Authentication Data model mapping has been added from the event type cisco_authentication_privileged
message_id
changes
For the message_ids
, CIM data models/dataset mappings have changed as follows:
message_id | Old Data Model/Data Set | New Data Model/Data Set |
111010,502101,502102,502103,502111,502112,505004,505009,505015 | Change:Auditing_Changes | Change:All_Changes |
Field changes
The Splunk Add-on for Cisco ASA 5.0.0 introduces the following field changes.
Source-type | message_id, sourcetype | Fields added | Fields removed |
---|---|---|---|
['cisco:asa']
|
106012cisco:asa | app | |
['cisco:asa']
|
109031cisco:asa | eventtype, tag::eventtype, Cisco_ASA_action, dest, tag, Username, reason, user, action, Cisco_ASA_user | |
['cisco:asa']
|
110003cisco:asa | vendor_severity, severity | |
['cisco:asa']
|
113021cisco:asa | eventtype, tag::eventtype, Cisco_ASA_action, dest, tag, Username, app, reason, user, action, Cisco_ASA_user | |
['cisco:asa']
|
302020cisco:asa | user | |
['cisco:asa']
|
405001cisco:asa | vendor_severity, severity | |
['cisco:asa']
|
502103cisco:asa | ||
['cisco:asa']
|
602304cisco:asa | ||
['cisco:asa']
|
605004cisco:asa | dest_interface, eventtype, tag::eventtype, Cisco_ASA_action, src, dest_ip, communication_protocol, dest, dest_zone, tag, app, src_port, src_ip, Username, user, action, Cisco_ASA_user | |
['cisco:asa']
|
605005cisco:asa | dest_port, service, Cisco_ASA_vendor_action, vendor_action | |
['cisco:asa']
|
716047cisco:asa | eventtype, tag::eventtype, Cisco_ASA_action, src, communication_protocol, dest, tag, Username, app, reason, user, action, Cisco_ASA_user | |
['cisco:asa']
|
725003cisco:asa | signature_id | |
['cisco:asa']
|
725007cisco:asa | signature | |
['cisco:asa']
|
772002cisco:asa | eventtype, tag::eventtype, Cisco_ASA_action, dest, tag, Username, app, reason, user, action, Cisco_ASA_user | |
['cisco:asa']
|
772003cisco:asa | eventtype, tag::eventtype, Cisco_ASA_action, src, communication_protocol, dest, tag, Username, app, src_ip, reason, user, action, Cisco_ASA_user | |
['cisco:asa']
|
772004cisco:asa | eventtype, tag::eventtype, Cisco_ASA_action, src, communication_protocol, dest, tag, Username, app, src_ip, reason, user, action, Cisco_ASA_user |
Fixed issues
Version 5.0.0 of the Splunk Add-on for Cisco ASA fixes the following issues:
Known issues
Version 5.0.0 of the Splunk Add-on for Cisco ASA has the following known issues:
Third-party software attributions
Version 5.0.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.
Version 4.2.0
Version 4.2.0 of the Splunk Add-on for Cisco ASA was released on December 27, 2021.
Compatibility
Version 4.2.0 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.
Splunk platform versions | 8.1, 8.2 |
CIM | 4.20.2 |
Supported OS for data collection | OS independent |
Vendor products | Cisco ASA v9.12, v9.13,v9.16 |
Supported Cisco ASA event message_ids | 106001, 106006, 106007, 106012, 106014, 106015, 106016, 106017, 106020, 106021, 106023, 106100, 106103, 109025, 110002, 110003, 111001, 111004, 111008, 111009, 111010, 113004, 113005, 113008, 113009, 113011, 113012, 113019, 113039, 302010, 302013, 302014, 302015, 302016, 302020, 303002, 304001, 305009, 305010, 305011, 313001, 313004, 313005, 313009, 338301, 338302, 400013, 400032, 405001, 419002, 419003, 500003, 500004, 502101, 502102, 502103, 502111, 502112, 505004, 505009, 505010, 505011, 505012, 505013, 505014, 505015, 505016, 602303, 602304, 605005, 609001, 609002, 611101, 710002, 710003, 710005, 711004, 713041, 713049, 713075, 713119, 713120, 713130, 713166, 713167, 713172, 713184, 713185, 713198, 713199, 713228, 713903, 713905, 713906, 715001, 715009, 715038, 715046, 715065, 715076, 715080, 716001, 716002, 716038, 716039, 716058, 716059, 717009, 717016, 717022, 717024, 717025, 717027, 717028, 717029, 717030, 717036, 717037, 717056, 720041, 722001, 722003, 722010, 722011, 722012, 722022, 722023, 722028, 722029, 722030, 722031, 722032, 722033, 722034, 722037, 722041, 722051, 722055, 725003, 725007, 725008, 725010, 725011, 725014, 725017, 733100, 734001, 737001, 737003, 737006, 737016, 737026, 737034, 737035, 746012, 746013, 746014, 746015, 746016, 751025, 338002 |
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New or changed features
As of version 4.2.0 of the Splunk Add-on for Cisco ASA, the following features were added or changed:
Event type changes
The following event types have been added in version 4.2.0:
- Change Data model mapping has been added from the event type
cisco_asa_alert
. - Change Data model mapping has been removed from event type
cisco_asa_endpoint_processes
. - Network Session Start and End Data model mapping has been removed from event type
cisco_vpn_start
andcisco_vpn_end
. - Audit mapping has been removed from event type
cisco_asa_audit_change
message_id
changes
For the message_ids
, CIM data models/dataset mappings have changed as follows:
message_id | Old Data Model/Data Set | New Data Model/Data Set |
111010,502101,502102,502103,502111,502112,505004,505009,505015 | Change:Auditing_Changes | Change:All_Changes |
113019,716002,602304,722023 | Network_Sessions:Session_End | Network_Sessions:VPN |
722033,113039,602303,716001,722034,722022 | Network_Sessions:Session_Start | Network_Sessions:VPN |
CIM mappings have been modified to map as follows:
Event type | Cisco ASA Message ID |
---|---|
cisco_connection
|
302014,302016 |
cisco_authentication_privileged
|
502103 |
cisco_asa_network_sessions
|
725003,725007 |
cisco_asa_audit_change
|
111010 |
Field changes
The Splunk Add-on for Cisco ASA 4.2.0 introduces the following field changes.
Message id | Source-type | Fields added | Fields removed |
---|---|---|---|
106023 | cisco:asa | signature_id | |
106023 | cisco:asa | rule_name | |
110003 | cisco:asa | Communication_protocol | |
cisco:asa | Src | ||
cisco:asa | Dest_ip | ||
cisco:asa | Signature_id | ||
cisco:asa | src_interface | ||
cisco:asa | src_ip | ||
cisco:asa | est_interface | ||
cisco:asa | est | ||
cisco:asa | dest_port | ||
cisco:asa | protocol | ||
cisco:asa | app | ||
cisco:asa | src_zone | ||
cisco:asa | dest_zone | ||
111010 | cisco:asa | object_category | |
302014 | cisco:asa | src | |
cisco:asa | tag | ||
cisco:asa | Cisco_ASA_action | ||
cisco:asa | dest_ip | ||
cisco:asa | duration | ||
cisco:asa | dest | ||
cisco:asa | Username | ||
cisco:asa | dest_port | ||
cisco:asa | protocol | ||
cisco:asa | user | ||
cisco:asa | Cisco_ASA_vendor_action | ||
cisco:asa | tag::eventtype | ||
cisco:asa | communication_protocol | ||
cisco:asa | duration_hour | ||
cisco:asa | vendor_action | ||
cisco:asa | transport | ||
cisco:asa | src_user | ||
cisco:asa | duration_second | ||
cisco:asa | src_nt_domain | ||
cisco:asa | action | ||
cisco:asa | src_port | ||
cisco:asa | dest_zone | ||
cisco:asa | session_id | ||
cisco:asa | reason | ||
cisco:asa | protocol_version | ||
cisco:asa | src_interface | ||
cisco:asa | duration_minute | ||
cisco:asa | bytes | ||
cisco:asa | Cisco_ASA_user | ||
cisco:asa | dest_interface | ||
cisco:asa | eventtype | ||
cisco:asa | src_zone | ||
cisco:asa | src_ip | ||
302015 | cisco:asa | dest_user | |
cisco:asa | user | ||
cisco:asa | Username | ||
cisco:asa | Cisco_ASA_user | ||
302016 | cisco:asa | src | |
cisco:asa | tag | ||
cisco:asa | Cisco_ASA_action | ||
cisco:asa | dest_ip | ||
cisco:asa | duration | ||
cisco:asa | dest | ||
cisco:asa | Username | ||
cisco:asa | dest_port | ||
cisco:asa | protocol | ||
cisco:asa | app | ||
cisco:asa | user | ||
cisco:asa | Cisco_ASA_vendor_action | ||
cisco:asa | tag::eventtype | ||
cisco:asa | communication_protocol | ||
cisco:asa | duration_hour | ||
cisco:asa | vendor_action | ||
cisco:asa | transport | ||
cisco:asa | src_user | ||
cisco:asa | duration_second | ||
cisco:asa | src_nt_domain | ||
cisco:asa | action | ||
cisco:asa | src_port | ||
302016 | cisco:asa | dest_zone | |
cisco:asa | session_id | ||
cisco:asa | protocol_version | ||
cisco:asa | src_interface | ||
cisco:asa | duration_minute | ||
cisco:asa | bytes | ||
cisco:asa | Cisco_ASA_user | ||
cisco:asa | dest_interface | ||
cisco:asa | eventtype | ||
cisco:asa | src_zone | ||
cisco:asa | src_ip | ||
303002 | cisco:asa | app | |
305012, 305011 | cisco:asa | src_user | |
cisco:asa | user | ||
cisco:asa | Username | ||
cisco:asa | Cisco_ASA_user | ||
338301 | cisco:asa | transport | |
cisco:asa | rule_name | ||
cisco:asa | rule | ||
cisco:asa | acl | ||
405001 | cisco:asa | tag | |
cisco:asa | signature_id | ||
cisco:asa | app | ||
cisco:asa | eventtype | ||
cisco:asa | type | ||
cisco:asa | tag::eventtype | ||
502101 | cisco:asa | result | |
502102 | cisco:asa | result | |
502103 | cisco:asa | result | |
502111 | cisco:asa | result | |
502112 | cisco:asa | result | |
505001 | cisco:asa | result | |
505002 | cisco:asa | result | |
505003 | cisco:asa | result | |
505004 | cisco:asa | result | |
505005 | cisco:asa | result | |
505006 | cisco:asa | result | |
505009 | cisco:asa | object_attrs | |
cisco:asa | result | ||
505015 | cisco:asa | result | |
713166, 713167 | cisco:asa | app | |
717029 | cisco:asa | dest | |
722022 | cisco:asa | dest_host | |
cisco:asa | dest | ||
cisco:asa | src | ||
725003 | cisco:asa | eventtype | |
cisco:asa | signature | ||
cisco:asa | tag | ||
cisco:asa | tag::eventtype | ||
725007 | cisco:asa | eventtype | |
cisco:asa | tag | ||
cisco:asa | tag::eventtype |
Fixed issues
Version 4.2.0 of the Splunk Add-on for Cisco ASA fixes the following issues:
Known issues
Version 4.2.0 of the Splunk Add-on for Cisco ASA has the following known issues:
Third-party software attributions
Version 4.2.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.
Version 4.1.0
Version 4.1.0 of the Splunk Add-on for Cisco ASA was released on October 6, 2020.
Compatibility
Version 4.1.0 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.
Splunk platform versions | 7.2, 7.3, 8.0, 8.1 |
CIM | 4.17 |
Supported OS for data collection | OS independent |
Vendor products | Cisco ASA v9.4, v9.12, v9.13 |
Supported Cisco ASA event message_ids | 106001, 106006, 106007, 106012, 106014, 106015, 106016, 106017, 106020, 106021, 106023, 106100, 106103, 109025, 110002, 111001, 111004, 111008, 111009, 111010, 113004, 113005, 113008, 113009, 113011, 113012, 113019, 113039, 302010, 302013, 302015, 302020, 303002, 304001, 305011, 313001, 313004, 313005, 313009, 338301, 338302, 400013, 400032, 419002, 419003, 500003, 500004, 502101, 502102, 502103, 502111, 502112, 505004, 505009, 505010, 505011, 505012, 505013, 505014, 505015, 505016, 602303, 602304, 605005, 609001, 609002, 611101, 710002, 710003, 710005, 711004, 713041, 713049, 713075, 713119, 713120, 713130, 713166, 713167, 713172, 713184, 713185, 713198, 713199, 713228, 713903, 713905, 713906, 715001, 715009, 715038, 715046, 715065, 715076, 715080, 716001, 716002, 716038, 716039, 716058, 716059, 717009, 717016, 717022, 717024, 717025, 717027, 717028, 717029, 717030, 717036, 717037, 717056, 720041, 722001, 722003, 722010, 722011, 722012, 722022, 722023, 722028, 722029, 722030, 722031, 722032, 722033, 722034, 722037, 722041, 722051, 722055, 725008, 725010, 725011, 725014, 725017, 733100, 734001, 737001, 737003, 737006, 737016, 737026, 737034, 737035, 746012, 746013, 746014, 746015, 746016, 751025, 338002 |
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New or changed features
As of version 4.1.0 of the Splunk Add-on for Cisco ASA, the following features were added or changed:
Event type changes
The following event types have been added in version 4.1.0:
- Change Data model mapping has been removed from event type
cisco_asa_configuration_change
. - Endpoint Data model mapping has been removed from event type
cisco_asa_endpoint_processes
andcisco_asa_endpoint_filesystem
. - Network Resolution (DNS) mapping has been removed from eventtype cisco_asa_network_resolution
- The event type
cisco_asa_audit_change
has been added and maps to the Change data model
message_id
changes
For the message_ids
, CIM data models mappings have changed as follows:
message_id | Old Data Model | New Data Model |
313005 | Network Intrusion,
Network Traffic |
Network Traffic |
302015 | Network_Traffic,
Network_Sessions |
Network Traffic |
109025 | Authentication,
Network_Traffic |
Network_Traffic |
Mappings with CIM data models have been removed for the following message_ids
.
113003, 302014, 302016, 302021, 304001, 305012, 305013, 314001, 402119, 405001, 500001, 500002, 504001, 504002, 505001, 505002, 505003, 505005, 505006, 505007, 505008, 507003, 602101, 607001, 608001, 702307, 710006, 713154, 713160, 713162, 713163, 716014, 716015, 716016, 716603, 722053, 725001, 725002, 722036, 725003, 725006, 725007, 725012, 725016, 734003, 751026, 805001, 805002, 805003
CIM mappings have been modified to map as follows:
Event type | Cisco ASA Message ID |
---|---|
cisco_vpn_start
|
113039,716001,722022,602303,722033,722034 |
cisco_vpn_end
|
113019, 716002, 722023, 602304 |
cisco_vpn
|
722051, 713228 |
cisco_intrusion
|
400032, 313005, 106016, 10601 |
cisco_connection
|
109025, 302013, 305011, 302015, 106023, 106015, 106012, 106100, 106103, 110002, 302020, 338301, 400013, 710003, 710005, 419002, 106021, 313005, 106001, 313001, 106007, 303002, 710002, 313009, 500003, 106006, 106014, 419003, 106020, 338002, 313004 |
cisco_authentication_privileged
|
502103 |
cisco_authentication
|
113008, 113012, 113004, 113005, 611101, 605005, 713166, 713167, 713185, 716038, 716039, 713198 |
cisco_asa_network_sessions
|
716058, 716059, 722028, 722029, 722030, 722031, 722037, 751025 |
cisco_asa_network_resolution
|
713154 |
cisco_asa_endpoint_processes
|
111010 |
cisco_asa_endpoint_filesystem
|
716015, 716014, 716016 |
cisco_asa_configuration_change
|
505001, 505002, 505003, 505004, 505005, 505006, 505007, 505008, 505009, 505015, 113003 and all events having value for change_class |
cisco_asa_certificates
|
717009, 717022, 717027, 717028, 717029, 717037 |
cisco_asa_audit_change
|
502102, 502101, 502103, 502111, 111010, 502112, 505015, 505004, 505009 |
Fixed issues
Version 4.1.0 of the Splunk Add-on for Cisco ASA fixes the following issues:
Date resolved | Issue number | Description |
---|---|---|
2020-09-21 | ADDON-27927 | Cisco ASA TA - cisco_asa_action_lookup.csv actions not consistent with CIM compliancy - network_traffic" DM (action=allowed OR action=blocked) |
2020-08-10 | ADDON-27928 | Cisco ASA TA - new Regex doesn't pick up spaces |
Known issues
Version 4.1.0 of the Splunk Add-on for Cisco ASA has the following known issues:
Third-party software attributions
Version 4.1.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.
Cisco ASA Version 4.0.2
Version 4.0.2 of the Splunk Add-on for Cisco ASA was released on June 24, 2020.
Compatibility
Version 4.0.2 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.
Splunk platform versions | 7.2, 7.3, 8.0 |
CIM | 4.15 |
Supported OS for data collection | OS independent |
Vendor products | Cisco ASA v9.4, v9.12, v9.13 |
Supported Cisco ASA event message_ids | 106001, 106006, 106007, 106012, 106014, 106015, 106016, 106017, 106020, 106021, 106023, 106100, 106103, 109025, 110002, 111001, 111004, 111008, 111009, 111010, 113003, 113004, 113005, 113008, 113009, 113011, 113012, 113019, 113039, 302010, 302013, 302014, 302015, 302016, 302020, 302021, 303002, 304001, 305011, 305012, 305013, 313001, 313004, 313005, 313009, 314001, 338301, 338302, 400013, 400032, 402119, 405001, 419002, 419003, 500001, 500002, 500003, 500004, 502101, 502102, 502103, 502111, 502112, 504001, 504002, 505001, 505002, 505003, 505004, 505005, 505006, 505007, 505008, 505009, 505010, 505011, 505012, 505013, 505014, 505015, 505016, 507003, 602101, 602303, 602304, 605005, 607001, 608001, 609001, 609002, 611101, 702307, 710002, 710003, 710005, 710006, 711004, 713041, 713049, 713075, 713119, 713120, 713130, 713154, 713160, 713162, 713163, 713166, 713167, 713172, 713184, 713185, 713198, 713199, 713228, 713903, 713905, 713906, 715001, 715009, 715038, 715046, 715065, 715076, 715080, 716001, 716002, 716014, 716015, 716016, 716038, 716039, 716058, 716059, 716603, 717009, 717016, 717022, 717024, 717025, 717027, 717028, 717029, 717030, 717036, 717037, 717056, 720041, 722001, 722003, 722010, 722011, 722012, 722022, 722023, 722028, 722029, 722030, 722031, 722032, 722033, 722034, 722036, 722037, 722041, 722051, 722053, 722055, 725001, 725002, 725003, 725006, 725007, 725008, 725010, 725011, 725012, 725014, 725016, 725017, 733100, 734001, 734003, 737001, 737003, 737006, 737016, 737026, 737034, 737035, 746012, 746013, 746014, 746015, 746016, 751025, 751026, 805001, 805002, 805003, 338002 |
Note: As of version 4.0.0 of the Splunk Add-on for Cisco ASA, Splunk does not support PIX and FWSM source types. To support this transition, version 3.4.0 will remain available for 90 days after the release of 4.0.0.
New or changed features
As of version 4.0.2 of the Splunk Add-on for Cisco ASA, the following features were added or changed:
Event type changes
The following event types have been added in version 4.0.2:
cisco_asa_vpn
cisco_asa_vpn_start
cisco_asa_vpn_end
The event type cisco_asa_change
is now named cisco_asa_configuration_change
message_id
changes
For the message_ids
, CIM data models mappings have changed as follows:
message_id | Old Data Model | New Data Model |
113004 | Network Sessions | Authentication |
313004 | Network Sessions | Network Traffic |
602303 | Network Traffic | Network Sessions |
602304 | Network Traffic | Network Sessions |
713228 | Change | Network Sessions |
716038 | Network Sessions, Authentication | Authentication |
716039 | Network Sessions, Authentication | Authentication |
Mapping with CIM data models has been removed for the following message_ids
.
713121, 713236, 714002, 714004, 714006, 714011, 715006, 715007, 715047, 715048, 715049, 715077, 771002
Fixed issues
Version 4.0.2 of the Splunk Add-on for Cisco ASA fixes the following issues:
Date resolved | Issue number | Description |
---|---|---|
2020-06-22 | ADDON-26648 | Cisco ASA: Issue with CIM mapping of Message ID - 113004 |
2020-06-22 | ADDON-26852 | Splunk Add-on for Cisco ASA missing eventtypes after upgrade to 4.0.1 |
Known issues
Version 4.0.2 of the Splunk Add-on for Cisco ASA has the following known issues:
Date filed | Issue number | Description |
---|---|---|
2020-07-24 | ADDON-27927 | Cisco ASA TA - cisco_asa_action_lookup.csv actions not consistent with CIM compliancy - network_traffic" DM (action=allowed OR action=blocked) Workaround: We have changed the lookup on the right actions in order to fix that. sed -e 's/built,,built/built,,allowed/g' opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/lookups/cisco_asa_action_lookup.csv
sed -e 's/permitted,,permitted/permitted,,allowed/g' opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/lookups/cisco_asa_action_lookup.csv
sed -e 's/denied,,denied/denied,,blocked/g' opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/lookups/cisco_asa_action_lookup.csv
sed -e 's/deny,,deny/deny,,blocked/g' opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/lookups/cisco_asa_action_lookup.csv |
2020-07-24 | ADDON-27928 | Cisco ASA TA - new Regex doesn't pick up spaces Workaround: The workaround for me is to delete the \s in the group capturing of the Group field. We have identify of lot of regex where it can happen and do those steps to workaround : mkdir -p /opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/local/
grep -C 1 "<Group>[^*\s]" /opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/default/transforms.conf > /opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/local/transforms0.conf
sed 's/--//g' /opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/local/transforms0.conf > /opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/local/transforms1.conf
sed 's/<Group>\[^\\>\\s/<Group>\[^\\>/g' /opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/local/transforms1.conf > /opt/splunk/etc/deployment-apps/Splunk_TA_cisco-asa/local/transforms.conf
rm -rf transforms0.conf transforms1.conf Maybe our network admins have not done things properly when they created those firewall groups with spaces but it's a reality in our context and we can't do anything about it |
Third-party software attributions
Version 4.0.2 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.
Version 4.0.1
Version 4.0.1 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.
Splunk platform versions | 7.2, 7.3, 8.0 |
CIM | 4.15 |
Supported OS for data collection | OS independent |
Vendor products | Cisco ASA v9.4, v9.12, v9.13 |
Supported Cisco ASA event message_ids | 106001, 106006, 106007, 106012, 106014, 106015, 106016, 106017, 106020, 106021, 106023, 106100, 106103, 109025, 110002, 111001, 111004, 111008, 111009, 111010, 113003, 113004, 113005, 113008, 113009, 113011, 113012, 113019, 113039, 302010, 302013, 302014, 302015, 302016, 302020, 302021, 303002, 304001, 305011, 305012, 305013, 313001, 313004, 313005, 313009, 314001, 338301, 338302, 400013, 400032, 402119, 405001, 419002, 419003, 500001, 500002, 500003, 500004, 502101, 502102, 502103, 502111, 502112, 504001, 504002, 505001, 505002, 505003, 505004, 505005, 505006, 505007, 505008, 505009, 505010, 505011, 505012, 505013, 505014, 505015, 505016, 507003, 602101, 602303, 602304, 605005, 607001, 608001, 609001, 609002, 611101, 702307, 710002, 710003, 710005, 710006, 711004, 713041, 713049, 713075, 713119, 713120, 713121, 713130, 713154, 713160, 713162, 713163, 713166, 713167, 713172, 713184, 713185, 713198, 713199, 713228, 713236, 713903, 713905, 713906, 714002, 714004, 714006, 714011, 715001, 715006, 715007, 715009, 715038, 715046, 715047, 715048, 715049, 715065, 715076, 715077, 715080, 716001, 716002, 716014, 716015, 716016, 716038, 716039, 716058, 716059, 716603, 717009, 717016, 717022, 717024, 717025, 717027, 717028, 717029, 717030, 717036, 717037, 717056, 720041, 722001, 722003, 722010, 722011, 722012, 722022, 722023, 722028, 722029, 722030, 722031, 722032, 722033, 722034, 722036, 722037, 722041, 722051, 722053, 722055, 725001, 725002, 725003, 725006, 725007, 725008, 725010, 725011, 725012, 725014, 725016, 725017, 733100, 734001, 734003, 737001, 737003, 737006, 737016, 737026, 737034, 737035, 746012, 746013, 746014, 746015, 746016, 751025, 751026, 771002, 805001, 805002, 805003, 338002 |
Note: As of version 4.0.0 of the Splunk Add-on for Cisco ASA, Splunk does not support PIX and FWSM source types. To support this transition, version 3.4.0 will remain available for 90 days after the release of 4.0.0.
Version 4.0.0
Version 4.0.0 of the Splunk Add-on for Cisco ASA was released on April 21, 2020.
Compatibility
Version 4.0.0 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.
Splunk platform versions | 7.2, 7.3, 8.0 |
CIM | 4.15 |
Supported OS for data collection | OS independent |
Vendor products | Cisco ASA v9.4, v9.12, v9.13 |
Supported Cisco ASA event message_ids | 106001, 106006, 106007, 106012, 106014, 106015, 106016, 106017, 106020, 106021, 106023, 106100, 106103, 109025, 110002, 111001, 111004, 111008, 111009, 111010, 113003, 113004, 113005, 113008, 113009, 113011, 113012, 113019, 113039, 302010, 302013, 302014, 302015, 302016, 302020, 302021, 303002, 304001, 305011, 305012, 305013, 313001, 313004, 313005, 313009, 314001, 338301, 338302, 400013, 400032, 402119, 405001, 419002, 419003, 500001, 500002, 500003, 500004, 502101, 502102, 502103, 502111, 502112, 504001, 504002, 505001, 505002, 505003, 505004, 505005, 505006, 505007, 505008, 505009, 505010, 505011, 505012, 505013, 505014, 505015, 505016, 507003, 602101, 602303, 602304, 605005, 607001, 608001, 609001, 609002, 611101, 702307, 710002, 710003, 710005, 710006, 711004, 713041, 713049, 713075, 713119, 713120, 713121, 713130, 713154, 713160, 713162, 713163, 713166, 713167, 713172, 713184, 713185, 713198, 713199, 713228, 713236, 713903, 713905, 713906, 714002, 714004, 714006, 714011, 715001, 715006, 715007, 715009, 715038, 715046, 715047, 715048, 715049, 715065, 715076, 715077, 715080, 716001, 716002, 716014, 716015, 716016, 716038, 716039, 716058, 716059, 716603, 717009, 717016, 717022, 717024, 717025, 717027, 717028, 717029, 717030, 717036, 717037, 717056, 720041, 722001, 722003, 722010, 722011, 722012, 722022, 722023, 722028, 722029, 722030, 722031, 722032, 722033, 722034, 722036, 722037, 722041, 722051, 722053, 722055, 725001, 725002, 725003, 725006, 725007, 725008, 725010, 725011, 725012, 725014, 725016, 725017, 733100, 734001, 734003, 737001, 737003, 737006, 737016, 737026, 737034, 737035, 746012, 746013, 746014, 746015, 746016, 751025, 751026, 771002, 805001, 805002, 805003, 338002 |
Note: As of version 4.0.0 of the Splunk Add-on for Cisco ASA, Splunk does not support PIX and FWSM source types. To support this transition, version 3.4.0 will remain available for 90 days after the release of 4.0.0.
New or changed features
Version 4.0.0 of the Splunk Add-on for Cisco ASA has the following new or changed features:
- Added
segmenters.conf
to let you filter timestamps from being added to the lexicon - Deprecated support for PIX and FWSM sourcetype and Malware datamodel
- CIM v4.15 compatibility
- Field extractions for supported Event IDs
Fixed issues
Version 4.0.0 of the Splunk Add-on for Cisco ASA fixes the following issues:
Date resolved | Issue number | Description |
---|---|---|
2020-04-06 | ADDON-12426 | Transposed directions not showing correctly |
Known issues
Version 4.0.0 of the Splunk Add-on for Cisco ASA has the following known issues:
Date filed | Issue number | Description |
---|---|---|
2020-05-12 | ADDON-26529 | segmenters.conf making sourcetype=cisco:asa events not searchable by term when event doesn't match the FILTER = <regular expression>, because the segmentation will be turned off completely for those events Workaround: create props.conf in $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/local with the following stanza, rolling it back to system/default settings: [cisco:asa] SEGMENTATION = indexing For affected data ingested, for example searching for an ip won't return results as expected:
| search sourcetype=cisco:asa src=1.2.3.4
but searching for it with where or regex does:
| search sourcetype=cisco:asa | where (src LIKE "1.2.3.4")
| search sourcetype=cisco:asa | regex src="1\.2\.3\.4"
|
2020-05-08 | ADDON-26486 | Field Extractiion for IP should point to src_ip Workaround: [cisco_asa_message_id_113039] REGEX = -113039:\s*Group\s*<?(?<Group>[^>\s]+)>?\s*User\s*<?(?<user>[^>\s]+)>?\s*IP\s*<?(?<dest_ip>[^\>,\s]+)>? Change dest_ip by src_ip [cisco_asa_message_id_113039]
REGEX = -113039:\s*Group\s*<?(?<Group>[^>\s]+)>?\s*User\s*<?(?<user>[^>\s]+)>?\s*IP\s*<?(?<src_ip>[^\>,\s]+)>? |
Third-party software attributions
Version 4.0.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.
Version 3.4.0
Version 3.4.0 of the Splunk Add-on for Cisco ASA was released on April 17, 2019.
Compatibility
Version 3.4.0 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.
Splunk platform versions | 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x |
CIM | 4.x |
Supported OS for data collection | OS independent |
Vendor products | Cisco FWSM 3.x and 4.x, Cisco PIX 5.x and later |
New or changed features
Version 3.4.0 of the Splunk Add-on for Cisco ASA has the following new or changed features:
- Improved load balancing on the universal forwarder
- IPV6 extractions are disabled by default
Fixed issues
Version 3.4.0 of the Splunk Add-on for Cisco ASA fixes the following issues:
Date resolved | Issue number | Description |
---|---|---|
2019-03-11 | ADDON-16265 | Incorrect transform for user field in ta-cisco-asa |
2019-03-11 | ADDON-21370 | Values not extracted for 'command' field in certain events under sourcetype=cisco:asa |
Known issues
Version 3.4.0 of the Splunk Add-on for Cisco ASA has the following known issues:
Date filed | Issue number | Description |
---|---|---|
2019-03-25 | ADDON-21891 | FIELDALIAS behavior is different for Splunk v7.2.0+ as mentioned in SPL-164505 Workaround: Comment below in ~etc/apps/Splunk_TA_cisco-asa/default/props.conf: FIELDALIAS-fwsm_acl_for_rule = acl as rule (in cisco:fwsm stanza) FIELDALIAS-cisco_asa_tunnelgroup = tunnelgroup as group (in cisco:asa stanza)
Add below in ~etc/apps/Splunk_TA_cisco-asa/local/props.conf: EVAL-rule=coalesce(acl, rule) (in cisco:fwsm stanza) EVAL-group=coalesce(tunnelgroup, group) (in cisco:asa stanza) |
2016-11-29 | ADDON-12426 | Transposed directions not showing correctly Workaround: Add/modify below stanza in ~etc/apps/Splunk_TA_cisco-asa/local/transforms.conf: [reverse_src_dest_for_outbound] REGEX = (?:[Oo]utbound|[tT]eardown)\s+\S+\s+connection\s+\d+\s+for\s+(\S+)\s*:\s*([^\s\/\(]+)(?:\/(\w+))?(?:\((\S+)\))?\s*\(?([^\s\/\(]+)?\/?(\d+)?\)?\s+to\s+([^: ]+)\s*:\s*([^\s\/\(]+)(?:\/(\w+))?(?:\((\S+)\))?\s*\(?([^\s\/\(]+)?\/?(\d+)?\)?
FORMAT = dest_zone::$1 dest_ip::$2 dest_port::$3 dest_user::$4 dest_translated_ip::$5 dest_translated_port::$6 src_zone::$7 src_ip::$8 src_port::$9 src_user::$10 src_translated_ip::$11 src_translated_port::$12
|
Third-party software attributions
Version 3.4.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.
=Version 3.3.0
Version 3.3.0 of the Splunk Add-on for Cisco ASA was released on October 12, 2017. Version 3.3.0 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.
Splunk platform versions | 6.5.x, 6.6.x, 7.0.x, 7.1.x, 7.2.x |
CIM | 4.11 |
Platforms | Platform independent |
Vendor Products | Cisco ASA 5500 series, Cisco FWSM 3.x and 4.x, Cisco PIX 5.x and above |
Fixed issues
Version 3.3.0 of the Splunk Add-on for Cisco ASA fixes the following issues.
Date resolved | Issue number | Description |
---|---|---|
2017-09-26 | ADDON-15550 | Transforms.conf file converts unnecessary regex capturing groups to non-capturing groups. |
2017-09-06 | ADDON-15551 | lookups/cisco_asa_vendor_class_lookup.csv has invalid entries for message ids 107*, 312*, 333* and 334* |
2017-08-03 | ADDON-14914 | Cisco ASA TA does not specify TIME_FORMAT in props.conf for cisco:asa, cisco:fwsm and cisco:pix |
2017-02-01 | ADDON-13459, ADDON-13245 | src_ip and src_port fields for not extracted for cisco_source_ipv4 |
2016-11-30 | ADDON-12469, ADDON-11294 | Improper tag assigned to NAT Events for eventtype cisco_connection |
2016-10-12 | ADDON-11294, ADDON-12469 | Add-on Bug Report - Splunk Add-on for Cisco ASA - Improperly Tagging NAT Events Problem Statement |
Known issues
Version 3.3.0 of the Splunk Add-on for Cisco ASA has the following known issues.
Date filed | Issue number | Description |
---|---|---|
2019-02-21 | ADDON-21370 | Values not extracted for 'command' field in certain events under sourcetype=cisco:asa |
2018-06-12 | ADDON-18377 | Reversing src and dest in the ICMP related logs Splunk Add-On for Cisco ASA |
2017-11-29 | ADDON-16265 | Incorrect transform for user field in ta-cisco-asa |
2016-11-29 | ADDON-12426 | Transposed directions not showing correctly Workaround: Add/modify below stanza in ~etc/apps/Splunk_TA_cisco-asa/local/transforms.conf: [reverse_src_dest_for_outbound] REGEX = (?:[Oo]utbound|[tT]eardown)\s+\S+\s+connection\s+\d+\s+for\s+(\S+)\s*:\s*([^\s\/\(]+)(?:\/(\w+))?(?:\((\S+)\))?\s*\(?([^\s\/\(]+)?\/?(\d+)?\)?\s+to\s+([^: ]+)\s*:\s*([^\s\/\(]+)(?:\/(\w+))?(?:\((\S+)\))?\s*\(?([^\s\/\(]+)?\/?(\d+)?\)?
FORMAT = dest_zone::$1 dest_ip::$2 dest_port::$3 dest_user::$4 dest_translated_ip::$5 dest_translated_port::$6 src_zone::$7 src_ip::$8 src_port::$9 src_user::$10 src_translated_ip::$11 src_translated_port::$12
|
Third-party software attributions
Version 3.3.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.
Version 3.2.6
Version 3.2.6 of the Splunk Add-on for Cisco ASA was released on July 18, 2016. Version 3.2.6 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.
Splunk platform versions | 5.0 and later |
CIM | 3.0 and later |
Platforms | Platform independent |
Vendor Products | Cisco ASA 5500 series, Cisco FWSM 3.x and 4.x, Cisco PIX 5.x and above |
Fixed issues
Version 3.2.6 of the Splunk Add-on for Cisco ASA fixes the following issues.
Date | Defect number | Description |
2016-06-22 | ADDON-9015 | The user information cannot be extracted for some events. |
2016-06-21 | ADDON-9461 | The default tag is incorrectly applied to all events of the cisco_authentication event type. |
2016-06-17 | ADDON-8738 | The byte and transport fields are not properly normalized or calculated for CIM compliance. |
2016-06-17 | ADDON-10246 | The user and domain/group fields are not extracted properly for some events. |
Known issues
Version 3.2.6 of the Splunk Add-on for Cisco ASA contains no known issues.
Third-party software attributions
Version 3.2.6 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.
Version 3.2.5
Version 3.2.5 of the Splunk Add-on for Cisco ASA was released on April 1, 2016. Version 3.2.5 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.
Splunk platform versions | 5.0 and above |
CIM | 3.0 and above |
Platforms | Platform independent |
Vendor Products | Cisco ASA 5500 series, Cisco FWSM 3.x and 4.x, Cisco PIX 5.x and above |
Fixed issues
Version 3.2.5 of the Splunk Add-on for Cisco ASA fixes the following issues.
Resolved Date | Defect number | Description |
2016-03-11 | ADDON-7065 | Performance issues in Splunk Enterprise Security related to tag expansions. |
2016-03-14 | ADDON-8256 | Source/Destination IP addresses not being extracted properly. |
2016-03-10 | ADDON-7759 | Remove legacy eventgen support. |
Known issues
Version 3.2.5 of the Splunk Add-on for Cisco ASA has the following known issues.
Date | Defect number | Description |
2014-12-17 | ADDON-2728 | Add-on does not support IPv6. |
Third-party software attributions
Version 3.2.5 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.
Version 3.2.4
Version 3.2.4 of the Splunk Add-on for Cisco ASA has the same compatibility specifications as version 3.2.5.
Fixed issues
Version 3.2.4 of the Splunk Add-on for Cisco ASA fixes the following issues.
Resolved Date | Defect number | Description |
2015-09-28 | ADDON-5743 | Add-on stores the signature_id number of Cisco ASA message in message_id field instead of signature_id. |
2015-09-18 | ADDON-5655 | src and dest extractions fail when interface name contains a colon. |
2015-09-17 | ADDON-5613 | The add-on defines event types as cisco:* which impacts other Cisco technologies that this add-on does not cover. |
2015-09-15 | ADDON-5257 | Zone information does not go to standardized field names. |
2015-09-09 | ADDON-5304 | VPN events do not have network tag. |
2015-07-21 | ADDON-4457 | Regex to extract dest ip fails if there is a . in the interface name. |
Known issues
Version 3.2.4 of the Splunk Add-on for Cisco ASA has the following known issues.
Date | Defect number | Description |
2014-12-17 | ADDON-2728 | Add-on does not support IPv6. |
Third-party software attributions
Version 3.2.4 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.
Version 3.2.3
Version 3.2.3 of the Splunk Add-on for Cisco ASA has the same compatibility specifications as version 3.2.4.
Fixed issues
Version 3.2.3 of the Splunk Add-on for Cisco ASA fixes the following issues.
Date | Defect number | Description |
06/17/15 | ADDON-4229 | Duplicated values in lookup cisco_asa_severity_lookup.csv result in duplicated values in severity field.
|
06/17/15 | ADDON-4021 | Source types are not backwards compatible with old versions of the add-on that used "cisco_asa" or "cisco-asa". |
06/16/14 | ADDON-1107 | Bug in eventgen rule_number field. |
06/15/15 | ADDON-4225 | Field Alias src is used for both src_ip and src_ipv6 .
|
06/09/15 | ADDON-3916 | Extraction for field user fails for certain actions.
|
Known issues
Version 3.2.3 of the Splunk Add-on for Cisco ASA has the following known issues.
Date | Defect number | Description |
2015-09-23 | ADDON-5743 | Add-on stores the signature_id number of Cisco ASA message in message_id field instead of signature_id. |
2015-09-17 | ADDON-5655 | src and dest extractions fail when interface name contains a colon. |
2015-09-17 | ADDON-5613 | The add-on defines event types as cisco:* which impacts other Cisco technologies that this add-on does not cover. |
2015-09-01 | ADDON-5304 | VPN events do not have network tag. |
2015-08-31 | ADDON-5257 | Zone information does not go to standardized field names. |
2015-07-03 | ADDON-4457 | Regex to extract dest ip fails if there is a . in the interface name. |
2014-12-17 | ADDON-2728 | Add-on does not support IPv6. |
Third-party software attributions
Version 3.2.3 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.
Version 3.2.2
Version 3.2.2 of the Splunk Add-on for Cisco ASA has the same compatibility specifications as version 3.2.3.
Fixed issues
Version 3.2.2 of the Splunk Add-on for Cisco ASA fixes the following issues.
Date | Defect number | Description |
04/13/15 | ADDON-3649 | XML file names do not match pre-built panel titles. |
04/10/15 | ADDON-3357 | Duration field extraction too narrow. |
03/16/15 | ADDON-3327 | Typo in eventtypes.conf causes searches to fail. |
03/11/15 | ADDON-3357 | Transposed src and dest directions. |
Known issues
Version 3.2.2 of the Splunk Add-on for Cisco ASA has the following known issues.
Date | Defect number | Description |
05/18/15 | ADDON-4021 | Source types are not backwards compatible with old versions of the add-on that used "cisco_asa" or "cisco-asa". |
05/04/15 | ADDON-3916 | Extraction of "user" field fails. |
12/17/14 | ADDON-2728 | Add-on does not support IPv6. |
01/31/14 | ADDON-1107 | Bug in eventgen rule_number field. |
Third-party software attributions
Version 3.2.2 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.
Version 3.2.1
Version 3.2.0 of the Splunk Add-on for Cisco ASA had the same compatibility specifications as Version 3.2.2.
Fixed issues
Version 3.2.1 of the Splunk Add-on for Cisco ASA fixed the following issues.
Date | Defect number | Description |
02/04/15 | ADDON-3067 | Field "action" looked up by cisco_asa_change_analysis_lookup overrides action from cisco_action_lookup. |
02/04/15 | ADDON-3142 | Field "action" contains some duplicated values. |
Known issues
Version 3.2.1 of the Splunk Add-on for Cisco ASA had no reported known issues.
Third-party software attributions
Version 3.2.1 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.
Version 3.2.0
Version 3.2.0 of the Splunk Add-on for Cisco ASA had the same compatibility specifications as Version 3.2.2.
New features
Version 3.2.0 of the Splunk Add-on for Cisco ASA included the following new features.
Date | Ticket number | Description |
01/06/15 | ADDON-1083 | Support for additional fields of the Change Analysis CIM data model. |
12/10/14 | ADDON-2230 | Support for VPN events. |
11/18/14 | ADDON-2284 | Support for Web events. |
Fixed issues
Version 3.2.0 of the Splunk Add-on for Cisco ASA fixed the following issues.
Date | Defect number | Description |
12/09/14 | ADDON-1888 | Reversed src and dest when direction is outbound. |
11/19/14 | ADDON-2343 | Remove right bracket from acl results. |
11/16/14 | ADDON-1507 | Regex change needed for rule_number field. |
11/14/14 | ADDON-2155 | Field extraction should avoid variable keys wherever possible. |
10/16/14 | ADDON-2165 | Incorrect setting of app field. |
Known issues
Version 3.2.0 of the Splunk Add-on for Cisco ASA had the following known issue.
Date | Defect number | Description |
01/23/15 | ADDON-3067 | Field "action" looked up by cisco_asa_change_analysis_lookup overrides action from cisco_action_lookup. |
Third-party software attributions
Version 3.2.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.
Version 3.1.0
Version 3.1.0 of the Splunk Add-on for Cisco ASA had the same compatibility specifications as Version 3.2.1.
New features
Version 3.1.0 of the Splunk Add-on for Cisco ASA includes the following new features:
- Pre-built panels. (ADDON-1638)
- Support for version 9.2 of ASA (ADDON-1146)
Fixed issues
Version 3.1.0 of the Splunk Add-on for Cisco ASA fixes the following issues:
- ASA teardown events prevent accurate analysis of network traffic. (ADDON-1258)
- Typo of aaa_cisco_tunnelgroup for cisco_asa_tunnelgroup in props.conf and mismatch with transforms.conf (ADDON-1498)
- Field extraction fails for field 'signature_id'. (ADDON-1501)
- Regex fails to extract the field "acl" for sourcetype="cisco:fwsm" (ADDON-1508) or for sourcetype="cisco:pix". (ADDON-1500).
- Incorrect regex for field 'icmp_type'. (ADDON-1510)
- Regex incorrect for the field "group_policy". (ADDON-1512)
- Non-functional lookup file cisco_vendor_info_lookups.csv. Resolved by implementing same functionality with static fields via EVALs in props.conf. (ADDON-1514)
- Some REPORT definitions not read into Splunk Enterprise. (ADDON-1515)
- Transposed mappings to CIM for src and dest related fields. (ADDON-1888)
- Search fails with fields src_id, fw_user. (ADDON-1976)
- Incorrect field extraction for icml_type. (ADDON-1978)
- The fields dest_translated_ip and dest_translated_port not extracted via regex. (ADDON-1979)
- The assigned_ip field not extracted via regex. (ADDON-1980)
- The group field not extracted via regex. (ADDON-1981)
- The dest_domain field not extracted for Cisco ASA version 9.2. (ADDON-2031)
Known issues
Version 3.1.0 of the Splunk Add-on for Cisco ASA has the following known issues:
- In multi-router installations, two different timestamps appear in Cisco ASA data, and the second one (after the IP address) is the correct one. (ADDON-1543)
Third-party software attributions
Version 3.1.0 of the Splunk Add-on for Cisco ASA did not incorporate any third-party software or libraries.
Version 3.0.1
Version 3.0.1 of the Splunk Add-on for Cisco ASA had the same compatibility specifications as Version 3.2.0.
New features
Version 3.0.1 of the Splunk Add-on for Cisco ASA included the following new features:
- Vendor Class support (ADDON-1087)
- VPN data populates in the Network Sessions CIM data model (ADDON-1082)
Fixed issues
Version 3.0.1 of the Splunk Add-on for Cisco ASA fixed the following issues:
- eventgen host incorrectly set to localhost (ADDON-1105)
- eventgen sample includes quotes around event (ADDON-1106)
- add-on does not recognize "session-" in certain log outputs (ADDON-1223)
Known issues
Version 3.0.1 of the Splunk Add-on for Cisco ASA had the following known issues:
- ASA teardown events prevent accurate analysis of network traffic. (ADDON-1258)
- Typo of aaa_cisco_tunnelgroup for cisco_asa_tunnelgroup in props.conf and mismatch with transforms.conf (ADDON-1498)
- Field extraction fails for field 'signature_id'. (ADDON-1501)
- Regex fails to extract the field "acl" for sourcetype="cisco:fwsm" (ADDON-1508) or for sourcetype="cisco:pix". (ADDON-1500)
- Incorrect regex for the field "icmp_type". (ADDON-1510)
- regex incorrect for the field "group_policy" (ADDON-1512)
- Some REPORT definitions not read into Splunk Enterprise. (ADDON-1515)
- In multi-router installations, two different timestamps appear in Cisco ASA data, and the second one (after the IP address) is the correct one. (ADDON-1593)
- Transposed mappings to CIM for src and dest related fields. (ADDON-1888)
Third-party software attributions
Version 3.0.1 of the Splunk Add-on for Cisco ASA did not incorporate any third-party software or libraries.
Release notes for the Splunk Add-on for Cisco ASA |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!