From 8c13eab92f9eacffcc265fc6935c157ba53ef94f Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Tue, 31 Mar 2020 12:05:47 -0400 Subject: [PATCH] Support cisco FTD as Cisco ASA --- docs/sources/Cisco/index.md | 4 ++-- package/etc/conf.d/filters/cisco/asa.conf | 7 +++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/docs/sources/Cisco/index.md b/docs/sources/Cisco/index.md index ae72697..bec8942 100644 --- a/docs/sources/Cisco/index.md +++ b/docs/sources/Cisco/index.md @@ -97,7 +97,7 @@ index= sourcetype=cisco:apic:* Verify timestamp, and host values match as expected -## Product - ASA (Pre Firepower) +## Product - ASA AND FTD (Firepower) | Ref | Link | |----------------|---------------------------------------------------------------------------------------------------------| @@ -109,7 +109,7 @@ Verify timestamp, and host values match as expected | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| -| cisco:asa | None | +| cisco:asa | cisco FTD Firepower will also use this source type | | cisco:pix | Not supported | | cisco:fwsm | Not supported | diff --git a/package/etc/conf.d/filters/cisco/asa.conf b/package/etc/conf.d/filters/cisco/asa.conf index a7ac9b7..cda9eed 100644 --- a/package/etc/conf.d/filters/cisco/asa.conf +++ b/package/etc/conf.d/filters/cisco/asa.conf @@ -1,8 +1,11 @@ filter f_cisco_asa { message('^%ASA-\d+-\d{1,10}: ') or - match('^%ASA-\d+-\d{1,10}:', value("LEGACY_MSGHDR")); + match('^%ASA-\d+-\d{1,10}:', value("LEGACY_MSGHDR")) or + message('^%FTD-\d+-\d{1,10}: ') or + match('^%FTD-\d+-\d{1,10}:', value("LEGACY_MSGHDR")); }; filter f_cisco_asa_nohost { - match('^%ASA-\d+-\d{1,10}:', value("LEGACY_MSGHDR")); + match('^%ASA-\d+-\d{1,10}:', value("LEGACY_MSGHDR")) + or match('^%FTD-\d+-\d{1,10}:', value("LEGACY_MSGHDR")); };