From f066cd1367866297c91506151bda1a59c397c40e Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Mon, 18 May 2020 17:15:26 -0400
Subject: [PATCH] Support cisco firepower unified logs

---
 docs/sources/Cisco/index.md                   |  9 ++++--
 .../conf.d/log_paths/lp-cisco_asa.conf.tmpl   | 28 +++++++++++++----
 tests/test_cisco_asa.py                       | 30 +++++++++++++++++++
 3 files changed, 58 insertions(+), 9 deletions(-)

diff --git a/docs/sources/Cisco/index.md b/docs/sources/Cisco/index.md
index 9fccf8d..fd58a34 100644
--- a/docs/sources/Cisco/index.md
+++ b/docs/sources/Cisco/index.md
@@ -95,13 +95,14 @@ Use the following search to validate events are present
 index=<asconfigured> sourcetype=cisco:apic:*
 ```
 
-Verify timestamp, and host values match as expected    
+Verify timestamp, and host values match as expected 
 
 ## Product - ASA AND FTD (Firepower)
 
 | Ref            | Link                                                                                                    |
 |----------------|---------------------------------------------------------------------------------------------------------|
-| Splunk Add-on  | https://splunkbase.splunk.com/app/1620/                                                                 |
+| Splunk Add-on for ASA | https://splunkbase.splunk.com/app/1620/                                                          |
+| Cisco eStreamer for Splunk | https://splunkbase.splunk.com/app/1629/                                                     |
 | Product Manual | https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_syslog.html |
 
 
@@ -109,13 +110,15 @@ Verify timestamp, and host values match as expected
 
 | sourcetype     | notes                                                                                                   |
 |----------------|---------------------------------------------------------------------------------------------------------|
-| cisco:asa      | cisco FTD Firepower will also use this source type                                                      |
+| cisco:asa      | cisco FTD Firepower will also use this source type except those noted below                                                      |
+| cisco:firepower:syslog | FTD Unified events see https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide.pdf |
 
 ### Sourcetype and Index Configuration
 
 | key            | sourcetype     | index          | notes          |
 |----------------|----------------|----------------|----------------|
 | cisco_asa      | cisco:asa      | netfw          | none           |
+| cisco_ftd      | cisco:firepower:syslog      | netfw          | none           |
 
 
 ### Filter type
diff --git a/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl
index 76c8a8b..b60f1d6 100644
--- a/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-cisco_asa.conf.tmpl
@@ -21,13 +21,29 @@ log {
         };
     };
 
-    rewrite {
-        set("cisco_asa", value("fields.sc4s_vendor_product"));
-        r_set_splunk_dest_default(sourcetype("cisco:asa"), index("netfw"))
+    if {
+        filter {
+            message('^%FTD-\d+-43000\d: ') or
+            match('^%FTD-\d+-43000\d:', value("LEGACY_MSGHDR"));
+        };
+        rewrite {
+            set("cisco_ftd", value("fields.sc4s_vendor_product"));
+            r_set_splunk_dest_default(sourcetype("cisco:firepower:syslog"), index("netfw"))
+        };
+        parser {p_add_context_splunk(key("cisco_ftd")); };
+        parser (compliance_meta_by_source);
+        rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
+
+    } else {
+        rewrite {
+            set("cisco_asa", value("fields.sc4s_vendor_product"));
+            r_set_splunk_dest_default(sourcetype("cisco:asa"), index("netfw"))
+        };
+        parser {p_add_context_splunk(key("cisco_asa")); };
+        parser (compliance_meta_by_source);
+        rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
+
     };
-    parser {p_add_context_splunk(key("cisco_asa")); };
-    parser (compliance_meta_by_source);
-    rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
 
 {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_CISCO_ASA_HEC" "no")) }}
     destination(d_hec);
diff --git a/tests/test_cisco_asa.py b/tests/test_cisco_asa.py
index 77a934f..6657876 100644
--- a/tests/test_cisco_asa.py
+++ b/tests/test_cisco_asa.py
@@ -100,3 +100,33 @@ def test_cisco_asa_rfc5424(record_property, setup_wordlist, setup_splunk, setup_
     record_property("message", message)
 
     assert resultCount == 1
+
+#<118>2020-02-04T11:00:54Z %FTD-6-430003: DeviceUUID: 90e14378-2081-11e8-a7fa-d34972ba379f, AccessControlRuleAction: Allow, SrcIP: 75.150.94.75, DstIP: 172.30.0.2, SrcPort: 59698, DstPort: 8027, Protocol: tcp, IngressInterface: Outside2, EgressInterface: DMZ, IngressZone: Outside, EgressZone: DMZ, ACPolicy: Rapid7 5525X, AccessControlRuleName: Allow MDM - Out to DMZ, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, ConnectionDuration: 600, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 31, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity
+def test_cisco_ftd(record_property, setup_wordlist, setup_splunk, setup_sc4s):
+    host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))
+
+#   Get UTC-based 'dt' time structure
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    # iso from included timeutils is from local timezone; need to keep iso as UTC
+    iso = dt.isoformat()[0:19]
+    epoch = epoch[:-7]
+
+    mt = env.from_string(
+        "{{ mark }} {{ iso }}Z {{ host }} : %FTD-6-430003: DeviceUUID: 90e14378-2081-11e8-a7fa-d34972ba379f, AccessControlRuleAction: Allow, SrcIP: 75.150.94.75, DstIP: 172.30.0.2, SrcPort: 59698, DstPort: 8027, Protocol: tcp, IngressInterface: Outside2, EgressInterface: DMZ, IngressZone: Outside, EgressZone: DMZ, ACPolicy: Rapid7 5525X, AccessControlRuleName: Allow MDM - Out to DMZ, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, ConnectionDuration: 600, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 31, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity\n")
+    message = mt.render(mark="<166>", iso=iso, epoch=epoch, host=host)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"cisco:firepower:syslog\"")
+    search = st.render(epoch=epoch, host=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1
\ No newline at end of file