cisco_asa_cleanup pack is not working for me

cisco_asa_cleanup pack is not working for me, now sure how to make it work , need help in utilizing it, sample logs

Oct 1 03:23:58 asa_server_ip %ASA-6-302014: Teardown TCP connection 39876417 for VTI-Murex-abc:xx.xx.xx.xx/443 to inside:xx.xx.xx.xx/44714 duration 0:00:00 bytes 9514 TCP FINs from inside 0 0
Oct 2 06:51:58 asa_server_ip %ASA-6-302013: Built inbound TCP connection 39876427 for VTI-Murex-abc:xx.xx.xx.xx/34664 (x.x.x.x/34664) to inside:xx.xx.xx.xx/443 (x.x.x.x/443) -1 -1

Oct 3 04:54:58 xx.xx.xx.xx %ASA-6-302013: Built outbound TCP connection 39876426 for VTI-Murex-abc:x.x.x.x/443 (xx.xx.xx.xx443) to inside:x.x.x.x./14326 (xx.xxx.xx.xx/14326) 1 5

Oct 5 01:54:58 xx.xx.xx.xx %ASA-6-302020: Built inbound ICMP connection for faddr xx.xx.xx.xx/54615 gaddr x.x.x.x/0 laddr x.xx.x.xx/0 type 8 code 0 Internal-Data0/-1:RX[-1]

Oct 15 07:54:58 xx.xx.xx.xx%ASA-6-106015: Deny TCP (no connection) from x.x.x.x/38492 to xxx.xx.xx.x/6425 flags ACK on interface VTI-Murex-abc

Page 1 / 1

What type of problem are you encountering? What is your destination?

destination is splunk , the problem is that it is not extracting any of the fields

I’ve check the Pack that Jon wrote and I think it’s the intended way to do things. I can’t see any function that does the parsing (from _raw to the full comprehensive list of fields that compose the _raw). If you need to do that, just add one parser function on the pipeline.

@Angelo Michele Pizzi how to achieve parsing (from _raw to the full comprehensive list of fields that compose the _raw).

Click on the Pack, then on Pipelines. From there you should see a pipeline called cisco_asa_cleanup. Since it’s not structured data you should use a Regex Extract function with capture group. Using the Parser function is not a good idea in this case, for the same reason.

Sign up

Using your Cribl.Cloud account

Login to the community

Using your Cribl.Cloud account

Scanning file for viruses.

This file cannot be downloaded