Hello, all.
I have a new question.
That we have:
1. Main splunk server
2. Installed Cisco Security Suite and Splunk Add-on for Cisco ASA
3. Configured inputs data from cisco on UDP (create this via browser). Set index and sourcetype cisco:asa
4. Two cisco asa for data semple
And after, when i collected some data, i found one trouble.
For example 2 string:
From first cisco:
Sep 11 17:25:45 xxx.xxx.xxx.xxx Sep 11 2017 17:25:46: %ASA-3-713902: Group =
yyy.yyy.yyy.yyy, IP = yyy.yyy.yyy.yyy, Removing peer from correlator table
failed, no match!
And from second:
Sep 11 17:27:00 yyy.yyy.yyy.yyy %ASA-3-710003: TCP access denied by ACL
from xxx.xxx.xxx.xxx/54483 to INT-WAN2:xxx.xxx.xxx.xxx/22
And how you can see on first cisco i have double timestamp, but on second cisco all good.
I dump traffic to splunk and all cisco send correct identical data to my udp.
How i can fix it?
Thanks!
↧