Firegen for Cisco ASA Splunk App
The app provides dashboards with traffic, denials and management information for Cisco ASA, Pix and FWSM firewalls. It is a foundation for the development of a variety of alarms and reports. Re: Firegen for Cisco ASA Splunk App is encouraged and support will be provided as needed.
1. Splunk Add-on for Cisco ASA – it creates the required sourcetypes and log parsing syntax. The Firegen app was created using version 3.3.
2. Cisco ASA/PIX/FWSM logs collected through a syslog server and imported into Splunk or via the Syslog UDP/TCP inputs. After the installation, a setup screen will require the specification of the Splunk index hosting the Cisco ASA logs.
The Cisco ASA traffic data is posing certain challenges from an analysis perspective as the direction of the traffic, the TCP/IP protocol and the bytes transferred are recorded in the syslog messages through two distinct messages types. These two messages require correlation in order to obtain the correct data. This process is resource intensive on Splunk, requiring joins between searches, so one must choose between accuracy and reporting performance. We consider that accuracy comes first so the performance may suffer for certain reports.
We are using our experience from the Firegen Log Analyzers to generate as much information as possible from the log recorded by the firewalls. The intelligence that can be obtain from one set of logs is limited. Integration with other log sources, including threat intelligence feeds, endpoint protection logs and file integrity is recommended in order to obtain a broader view of the potential indicators of compromise. Please feel free to contact us for custom development of reports and use cases specific to your environment.