Skip to content

Release history for the Splunk Add-on for Cisco ASA

The latest version of the Splunk Add-on for Cisco ASA is version 5.2.0. See Release notes for the Splunk Add-on for Cisco ASA for release notes of this latest version.

Version 5.1.0

Version 5.1.0 of the Splunk Add-on for Cisco ASA was released on July 14, 2022.

Compatibility

Version 5.1.0 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 8.1, 8.2
CIM 4.20.2
Supported OS for data collection OS independent
Vendor products Cisco ASA v9.12, v9.13,v9.16
Supported Cisco ASA event message_ids 106001, 106006, 106007, 106012, 106014, 106015, 106016, 106017, 106020, 106021, 106023, 106100, 106103, 109025, 110002, 110003, 111001, 111004, 111008, 111009, 111010, 113004, 113005, 113008, 113009, 113011, 113012, 113019, 113039, 302010, 302013, 302014, 302015, 302016, 302020, 302021, 303002, 304001, 305009, 305010, 305011, 305012, 305013, 313001, 313004, 313005, 313009, 338002, 338301, 338302, 400013, 400032, 405001, 419002, 419003, 500003, 500004, 502101, 502102, 502103, 502111, 502112, 505004, 505009, 505010, 505011, 505012, 505013, 505014, 505015, 505016, 602303, 602304, 605005, 609001, 609002, 611101, 710002, 710003, 710005, 711004, 713041, 713049, 713075, 713119, 713120, 713130, 713166, 713167, 713172, 713184, 713185, 713198, 713199, 713228, 713903, 713905, 713906, 715001, 715009, 715038, 715046, 715065, 715076, 715080, 716001, 716002, 716038, 716039, 716058, 716059, 717009, 717016, 717022, 717024, 717025, 717027, 717028, 717029, 717030, 717036, 717037, 717056, 720041, 722001, 722003, 722010, 722011, 722012, 722022, 722023, 722028, 722029, 722030, 722031, 722032, 722033, 722034, 722037, 722041, 722051, 722055, 725003, 725007, 725008, 725010, 725011, 725014, 725017, 733100, 734001, 737001, 737003, 737006, 737016, 737026, 737034, 737035, 746012, 746013, 746014, 746015, 746016, 751025, 771002

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New or changed features

The Splunk Add-on for Cisco ASA 5.1.0 introduces the following field changes.

Source-type message_id Fields added Fields removed
['cisco:asa'] 602303, 717022, 109031, 106007, 611101, 717027, 113004, 722022, 313001, 505009, 710003, 722028, 113012, 400032, 302014, 722031, 716047, 713185, 302020, 313005, 106014, 302015, 502102, 110003, 716059, 716039, 106017, 717029, 111010, 109025, 303002, 313009, 305011, 772003, 502111, 722051, 106023, 722030, 500003, 106006, 716002, 502112, 106015, 716001, 772002, 505004, 722029, 716058, 106021, 110002, 505015, 400013, 106100, 717028, 722033, 106016, 717009, 722023, 751025, 419003, 605005, 713198, 713228, 302013, 405001, 502103, 338002, 710002, 725003, 113008, 419002, 710005, 725007, 722037, 713167, 106020, 106012, 502101, 113019, 716038, 722034, 717037, 106103, 713166, 313004, 602304, 113005, 605004, 106001, 338301, 113039
['cisco:asa'] 111001 status, change_type, action, tag::eventtype, change_description, command, eventtype, result, object, dest, object_type, tag, object_id, object_category, Cisco_ASA_action device, src_host
['cisco:asa'] 111004 status, action, tag::eventtype, command, eventtype, result, object, dest, tag, object_category, Cisco_ASA_action src_host
['cisco:asa'] 111009 status, change_type, tag::eventtype, change_description, eventtype, result, object, dest, object_type, tag, object_category Cisco_ASA_vendor_action, vendor_action
['cisco:asa'] 113021
['cisco:asa'] 302021, 305012, 305013 tag, eventtype, tag::eventtype
['cisco:asa'] 609002, 609001 zone, src_ip, tag::eventtype, eventtype, dest, tag, communication_protocol, dest_ip IP, zone_name, ip_address
['cisco:asa'] 771002 status, change_type, action, tag::eventtype, change_description, command, object_attrs, result, eventtype, object, dest, object_type, tag, object_id, object_category, Cisco_ASA_action after_time, src_ip, before_time
['cisco:asa'] 772004

Fixed issues

Version 5.1.0 of the Splunk Add-on for Cisco ASA fixes the following issues:

Known issues

Version 5.1.0 of the Splunk Add-on for Cisco ASA has the following known issues:

Third-party software attributions

Version 5.1.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 5.0.0

Version 5.0.0 of the Splunk Add-on for Cisco ASA was released on April 29, 2022.

Compatibility

Version 5.0.0 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 8.1, 8.2
CIM 4.20.2
Supported OS for data collection OS independent
Vendor products Cisco ASA v9.12, v9.13,v9.16
Supported Cisco ASA event message_ids 106001, 106006, 106007, 106012, 106014, 106015, 106016, 106017, 106020, 106021, 106023, 106100, 106103, 109025, 110002, 110003, 111001, 111004, 111008, 111009, 111010, 113004, 113005, 113008, 113009, 113011, 113012, 113019, 113039, 302010, 302013, 302014, 302015, 302016, 302020, 303002, 304001, 305009, 305010, 305011, 313001, 313004, 313005, 313009, 338301, 338302, 400013, 400032, 405001, 419002, 419003, 500003, 500004, 502101, 502102, 502103, 502111, 502112, 505004, 505009, 505010, 505011, 505012, 505013, 505014, 505015, 505016, 602303, 602304, 605005, 609001, 609002, 611101, 710002, 710003, 710005, 711004, 713041, 713049, 713075, 713119, 713120, 713130, 713166, 713167, 713172, 713184, 713185, 713198, 713199, 713228, 713903, 713905, 713906, 715001, 715009, 715038, 715046, 715065, 715076, 715080, 716001, 716002, 716038, 716039, 716058, 716059, 717009, 717016, 717022, 717024, 717025, 717027, 717028, 717029, 717030, 717036, 717037, 717056, 720041, 722001, 722003, 722010, 722011, 722012, 722022, 722023, 722028, 722029, 722030, 722031, 722032, 722033, 722034, 722037, 722041, 722051, 722055, 725003, 725007, 725008, 725010, 725011, 725014, 725017, 733100, 734001, 737001, 737003, 737006, 737016, 737026, 737034, 737035, 746012, 746013, 746014, 746015, 746016, 751025, 338002, 111008, 111010, 302013, 302020, 302021, 609001, 609002

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New or changed features

Version 5.0.0 supports IPv6 Events. In case Cisco ASA and Splunk connected to each other using IPv6 address, you must enable Splunk to receive events sourced from IPv6 peer. To configure Splunk Enterprise to listen on an IPv6 network see https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/ConfigureSplunkforIPv6 Show less

Event type changes

Authentication Data model mapping has been added from the event type cisco_authentication_privileged

message_id changes

For the message_ids, CIM data models/dataset mappings have changed as follows:
message_id Old Data Model/Data Set New Data Model/Data Set
111010,502101,502102,502103,502111,
502112,505004,505009,505015		 Change:Auditing_Changes Change:All_Changes

Field changes

The Splunk Add-on for Cisco ASA 5.0.0 introduces the following field changes.

Source-type message_id Fields added Fields removed
['cisco:asa'] 106012 app
['cisco:asa'] 109031 eventtype, tag::eventtype, Cisco_ASA_action, dest, tag, Username, reason, user, action, Cisco_ASA_user
['cisco:asa'] 110003 vendor_severity, severity
['cisco:asa'] 113021 eventtype, tag::eventtype, Cisco_ASA_action, dest, tag, Username, app, reason, user, action, Cisco_ASA_user
['cisco:asa'] 302020 user
['cisco:asa'] 405001 vendor_severity, severity
['cisco:asa'] 502103
['cisco:asa'] 602304
['cisco:asa'] 605004 dest_interface, eventtype, tag::eventtype, Cisco_ASA_action, src, dest_ip, communication_protocol, dest, dest_zone, tag, app, src_port, src_ip, Username, user, action, Cisco_ASA_user
['cisco:asa'] 605005 dest_port, service, Cisco_ASA_vendor_action, vendor_action
['cisco:asa'] 716047 eventtype, tag::eventtype, Cisco_ASA_action, src, communication_protocol, dest, tag, Username, app, reason, user, action, Cisco_ASA_user
['cisco:asa'] 725003 signature_id
['cisco:asa'] 725007 signature
['cisco:asa'] 772002 eventtype, tag::eventtype, Cisco_ASA_action, dest, tag, Username, app, reason, user, action, Cisco_ASA_user
['cisco:asa'] 772003 eventtype, tag::eventtype, Cisco_ASA_action, src, communication_protocol, dest, tag, Username, app, src_ip, reason, user, action, Cisco_ASA_user
['cisco:asa'] 772004 eventtype, tag::eventtype, Cisco_ASA_action, src, communication_protocol, dest, tag, Username, app, src_ip, reason, user, action, Cisco_ASA_user

Fixed issues

Version 5.0.0 of the Splunk Add-on for Cisco ASA fixes the following issues:

Known issues

Version 5.0.0 of the Splunk Add-on for Cisco ASA has the following known issues:

Third-party software attributions

Version 5.0.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 4.2.0

Version 4.2.0 of the Splunk Add-on for Cisco ASA was released on December 27, 2021.

Compatibility

Version 4.2.0 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 8.1, 8.2
CIM 4.20.2
Supported OS for data collection OS independent
Vendor products Cisco ASA v9.12, v9.13,v9.16
Supported Cisco ASA event message_ids 106001, 106006, 106007, 106012, 106014, 106015, 106016, 106017, 106020, 106021, 106023, 106100, 106103, 109025, 110002, 110003, 111001, 111004, 111008, 111009, 111010, 113004, 113005, 113008, 113009, 113011, 113012, 113019, 113039, 302010, 302013, 302014, 302015, 302016, 302020, 303002, 304001, 305009, 305010, 305011, 313001, 313004, 313005, 313009, 338301, 338302, 400013, 400032, 405001, 419002, 419003, 500003, 500004, 502101, 502102, 502103, 502111, 502112, 505004, 505009, 505010, 505011, 505012, 505013, 505014, 505015, 505016, 602303, 602304, 605005, 609001, 609002, 611101, 710002, 710003, 710005, 711004, 713041, 713049, 713075, 713119, 713120, 713130, 713166, 713167, 713172, 713184, 713185, 713198, 713199, 713228, 713903, 713905, 713906, 715001, 715009, 715038, 715046, 715065, 715076, 715080, 716001, 716002, 716038, 716039, 716058, 716059, 717009, 717016, 717022, 717024, 717025, 717027, 717028, 717029, 717030, 717036, 717037, 717056, 720041, 722001, 722003, 722010, 722011, 722012, 722022, 722023, 722028, 722029, 722030, 722031, 722032, 722033, 722034, 722037, 722041, 722051, 722055, 725003, 725007, 725008, 725010, 725011, 725014, 725017, 733100, 734001, 737001, 737003, 737006, 737016, 737026, 737034, 737035, 746012, 746013, 746014, 746015, 746016, 751025, 338002

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New or changed features

As of version 4.2.0 of the Splunk Add-on for Cisco ASA, the following features were added or changed:

Event type changes

The following event types have been added in version 4.2.0:

  • Change Data model mapping has been added from the event type cisco_asa_alert.
  • Change Data model mapping has been removed from event type cisco_asa_endpoint_processes.
  • Network Session Start and End Data model mapping has been removed from event type cisco_vpn_start and cisco_vpn_end.
  • Audit mapping has been removed from event type cisco_asa_audit_change

message_id changes

For the message_ids, CIM data models/dataset mappings have changed as follows:
message_id Old Data Model/Data Set New Data Model/Data Set
111010,502101,502102,502103,502111,502112,505004,505009,505015 Change:Auditing_Changes Change:All_Changes
113019,716002,602304,722023 Network_Sessions:Session_End Network_Sessions:VPN
722033,113039,602303,716001,722034,722022 Network_Sessions:Session_Start Network_Sessions:VPN

CIM mappings have been modified to map as follows:

Event type Cisco ASA Message ID
cisco_connection 302014,302016
cisco_authentication_privileged 502103
cisco_asa_network_sessions 725003,725007
cisco_asa_audit_change 111010

Field changes

The Splunk Add-on for Cisco ASA 4.2.0 introduces the following field changes.

Message id Source-type Fields added Fields removed
106023 cisco:asa signature_id
106023 cisco:asa rule_name
110003 cisco:asa Communication_protocol
cisco:asa Src
cisco:asa Dest_ip
cisco:asa Signature_id
cisco:asa src_interface
cisco:asa src_ip
cisco:asa est_interface
cisco:asa est
cisco:asa dest_port
cisco:asa protocol
cisco:asa app
cisco:asa src_zone
cisco:asa dest_zone
111010 cisco:asa object_category
302014 cisco:asa src
cisco:asa tag
cisco:asa Cisco_ASA_action
cisco:asa dest_ip
cisco:asa duration
cisco:asa dest
cisco:asa Username
cisco:asa dest_port
cisco:asa protocol
cisco:asa user
cisco:asa Cisco_ASA_vendor_action
cisco:asa tag::eventtype
cisco:asa communication_protocol
cisco:asa duration_hour
cisco:asa vendor_action
cisco:asa transport
cisco:asa src_user
cisco:asa duration_second
cisco:asa src_nt_domain
cisco:asa action
cisco:asa src_port
cisco:asa dest_zone
cisco:asa session_id
cisco:asa reason
cisco:asa protocol_version
cisco:asa src_interface
cisco:asa duration_minute
cisco:asa bytes
cisco:asa Cisco_ASA_user
cisco:asa dest_interface
cisco:asa eventtype
cisco:asa src_zone
cisco:asa src_ip
302015 cisco:asa dest_user
cisco:asa user
cisco:asa Username
cisco:asa Cisco_ASA_user
302016 cisco:asa src
cisco:asa tag
cisco:asa Cisco_ASA_action
cisco:asa dest_ip
cisco:asa duration
cisco:asa dest
cisco:asa Username
cisco:asa dest_port
cisco:asa protocol
cisco:asa app
cisco:asa user
cisco:asa Cisco_ASA_vendor_action
cisco:asa tag::eventtype
cisco:asa communication_protocol
cisco:asa duration_hour
cisco:asa vendor_action
cisco:asa transport
cisco:asa src_user
cisco:asa duration_second
cisco:asa src_nt_domain
cisco:asa action
cisco:asa src_port
302016 cisco:asa dest_zone
cisco:asa session_id
cisco:asa protocol_version
cisco:asa src_interface
cisco:asa duration_minute
cisco:asa bytes
cisco:asa Cisco_ASA_user
cisco:asa dest_interface
cisco:asa eventtype
cisco:asa src_zone
cisco:asa src_ip
303002 cisco:asa app
305012, 305011 cisco:asa src_user
cisco:asa user
cisco:asa Username
cisco:asa Cisco_ASA_user
338301 cisco:asa transport
cisco:asa rule_name
cisco:asa rule
cisco:asa acl
405001 cisco:asa tag
cisco:asa signature_id
cisco:asa app
cisco:asa eventtype
cisco:asa type
cisco:asa tag::eventtype
502101 cisco:asa result
502102 cisco:asa result
502103 cisco:asa result
502111 cisco:asa result
502112 cisco:asa result
505001 cisco:asa result
505002 cisco:asa result
505003 cisco:asa result
505004 cisco:asa result
505005 cisco:asa result
505006 cisco:asa result
505009 cisco:asa object_attrs
cisco:asa result
505015 cisco:asa result
713166, 713167 cisco:asa app
717029 cisco:asa dest
722022 cisco:asa dest_host
cisco:asa dest
cisco:asa src
725003 cisco:asa eventtype
cisco:asa signature
cisco:asa tag
cisco:asa tag::eventtype
725007 cisco:asa eventtype
cisco:asa tag
cisco:asa tag::eventtype

Fixed issues

Version 4.2.0 of the Splunk Add-on for Cisco ASA fixes the following issues:

Known issues

Version 4.2.0 of the Splunk Add-on for Cisco ASA has the following known issues:

Third-party software attributions

Version 4.2.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 4.1.0

Version 4.1.0 of the Splunk Add-on for Cisco ASA was released on October 6, 2020.

Compatibility

Version 4.1.0 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 7.2, 7.3, 8.0, 8.1
CIM 4.17
Supported OS for data collection OS independent
Vendor products Cisco ASA v9.4, v9.12, v9.13
Supported Cisco ASA event message_ids 106001, 106006, 106007, 106012, 106014, 106015, 106016, 106017, 106020, 106021, 106023, 106100, 106103, 109025, 110002, 111001, 111004, 111008, 111009, 111010, 113004, 113005, 113008, 113009, 113011, 113012, 113019, 113039, 302010, 302013, 302015, 302020, 303002, 304001, 305011, 313001, 313004, 313005, 313009, 338301, 338302, 400013, 400032, 419002, 419003, 500003, 500004, 502101, 502102, 502103, 502111, 502112, 505004, 505009, 505010, 505011, 505012, 505013, 505014, 505015, 505016, 602303, 602304, 605005, 609001, 609002, 611101, 710002, 710003, 710005, 711004, 713041, 713049, 713075, 713119, 713120, 713130, 713166, 713167, 713172, 713184, 713185, 713198, 713199, 713228, 713903, 713905, 713906, 715001, 715009, 715038, 715046, 715065, 715076, 715080, 716001, 716002, 716038, 716039, 716058, 716059, 717009, 717016, 717022, 717024, 717025, 717027, 717028, 717029, 717030, 717036, 717037, 717056, 720041, 722001, 722003, 722010, 722011, 722012, 722022, 722023, 722028, 722029, 722030, 722031, 722032, 722033, 722034, 722037, 722041, 722051, 722055, 725008, 725010, 725011, 725014, 725017, 733100, 734001, 737001, 737003, 737006, 737016, 737026, 737034, 737035, 746012, 746013, 746014, 746015, 746016, 751025, 338002

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New or changed features

As of version 4.1.0 of the Splunk Add-on for Cisco ASA, the following features were added or changed:

Event type changes

The following event types have been added in version 4.1.0:

  • Change Data model mapping has been removed from event type cisco_asa_configuration_change.
  • Endpoint Data model mapping has been removed from event type cisco_asa_endpoint_processes and cisco_asa_endpoint_filesystem.
  • Network Resolution (DNS) mapping has been removed from eventtype cisco_asa_network_resolution
  • The event type cisco_asa_audit_change has been added and maps to the Change data model

message_id changes

For the message_ids, CIM data models mappings have changed as follows:
message_id Old Data Model New Data Model
313005 Network Intrusion, Network Traffic Network Traffic
302015 Network_Traffic, Network_Sessions Network Traffic
109025 Authentication, Network_Traffic Network_Traffic

Mappings with CIM data models have been removed for the following message_ids. 113003, 302014, 302016, 302021, 304001, 305012, 305013, 314001, 402119, 405001, 500001, 500002, 504001, 504002, 505001, 505002, 505003, 505005, 505006, 505007, 505008, 507003, 602101, 607001, 608001, 702307, 710006, 713154, 713160, 713162, 713163, 716014, 716015, 716016, 716603, 722053, 725001, 725002, 722036, 725003, 725006, 725007, 725012, 725016, 734003, 751026, 805001, 805002, 805003

CIM mappings have been modified to map as follows:

Event type Cisco ASA Message ID
cisco_vpn_start 113039,716001,722022,602303,722033,722034
cisco_vpn_end 113019, 716002, 722023, 602304
cisco_vpn 722051, 713228
cisco_intrusion 400032, 313005, 106016, 10601
cisco_connection 109025, 302013, 305011, 302015, 106023, 106015, 106012, 106100, 106103, 110002, 302020, 338301, 400013, 710003, 710005, 419002, 106021, 313005, 106001, 313001, 106007, 303002, 710002, 313009, 500003, 106006, 106014, 419003, 106020, 338002, 313004
cisco_authentication_privileged 502103
cisco_authentication 113008, 113012, 113004, 113005, 611101, 605005, 713166, 713167, 713185, 716038, 716039, 713198
cisco_asa_network_sessions 716058, 716059, 722028, 722029, 722030, 722031, 722037, 751025
cisco_asa_network_resolution 713154
cisco_asa_endpoint_processes 111010
cisco_asa_endpoint_filesystem 716015, 716014, 716016
cisco_asa_configuration_change 505001, 505002, 505003, 505004, 505005, 505006, 505007, 505008, 505009, 505015, 113003 and all events having value for change_class
cisco_asa_certificates 717009, 717022, 717027, 717028, 717029, 717037
cisco_asa_audit_change 502102, 502101, 502103, 502111, 111010, 502112, 505015, 505004, 505009

Fixed issues

Version 4.1.0 of the Splunk Add-on for Cisco ASA fixes the following issues:

Known issues

Version 4.1.0 of the Splunk Add-on for Cisco ASA has the following known issues:

Third-party software attributions

Version 4.1.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Cisco ASA Version 4.0.2

Version 4.0.2 of the Splunk Add-on for Cisco ASA was released on June 24, 2020.

Compatibility

Version 4.0.2 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 7.2, 7.3, 8.0
CIM 4.15
Supported OS for data collection OS independent
Vendor products Cisco ASA v9.4, v9.12, v9.13
Supported Cisco ASA event message_ids 106001, 106006, 106007, 106012, 106014, 106015, 106016, 106017, 106020, 106021, 106023, 106100, 106103, 109025, 110002, 111001, 111004, 111008, 111009, 111010, 113003, 113004, 113005, 113008, 113009, 113011, 113012, 113019, 113039, 302010, 302013, 302014, 302015, 302016, 302020, 302021, 303002, 304001, 305011, 305012, 305013, 313001, 313004, 313005, 313009, 314001, 338301, 338302, 400013, 400032, 402119, 405001, 419002, 419003, 500001, 500002, 500003, 500004, 502101, 502102, 502103, 502111, 502112, 504001, 504002, 505001, 505002, 505003, 505004, 505005, 505006, 505007, 505008, 505009, 505010, 505011, 505012, 505013, 505014, 505015, 505016, 507003, 602101, 602303, 602304, 605005, 607001, 608001, 609001, 609002, 611101, 702307, 710002, 710003, 710005, 710006, 711004, 713041, 713049, 713075, 713119, 713120, 713130, 713154, 713160, 713162, 713163, 713166, 713167, 713172, 713184, 713185, 713198, 713199, 713228, 713903, 713905, 713906, 715001, 715009, 715038, 715046, 715065, 715076, 715080, 716001, 716002, 716014, 716015, 716016, 716038, 716039, 716058, 716059, 716603, 717009, 717016, 717022, 717024, 717025, 717027, 717028, 717029, 717030, 717036, 717037, 717056, 720041, 722001, 722003, 722010, 722011, 722012, 722022, 722023, 722028, 722029, 722030, 722031, 722032, 722033, 722034, 722036, 722037, 722041, 722051, 722053, 722055, 725001, 725002, 725003, 725006, 725007, 725008, 725010, 725011, 725012, 725014, 725016, 725017, 733100, 734001, 734003, 737001, 737003, 737006, 737016, 737026, 737034, 737035, 746012, 746013, 746014, 746015, 746016, 751025, 751026, 805001, 805002, 805003, 338002

Note

As of version 4.0.0 of the Splunk Add-on for Cisco ASA, Splunk does not support PIX and FWSM source types. To support this transition, version 3.4.0 will remain available for 90 days after the release of 4.0.0.

New or changed features

As of version 4.0.2 of the Splunk Add-on for Cisco ASA, the following features were added or changed:

Event type changes

The following event types have been added in version 4.0.2:

  • cisco_asa_vpn
  • cisco_asa_vpn_start
  • cisco_asa_vpn_end

The event type cisco_asa_change is now named cisco_asa_configuration_change

message_id changes

For the message_ids, CIM data models mappings have changed as follows:
message_id Old Data Model New Data Model
113004 Network Sessions Authentication
313004 Network Sessions Network Traffic
602303 Network Traffic Network Sessions
602304 Network Traffic Network Sessions
713228 Change Network Sessions
716038 Network Sessions, Authentication Authentication
716039 Network Sessions, Authentication Authentication

Mapping with CIM data models has been removed for the following message_ids.

713121, 713236, 714002, 714004, 714006, 714011, 715006, 715007, 715047, 715048, 715049, 715077, 771002

Fixed issues

Version 4.0.2 of the Splunk Add-on for Cisco ASA fixes the following issues:

Known issues

Version 4.0.2 of the Splunk Add-on for Cisco ASA has the following known issues:

Third-party software attributions

Version 4.0.2 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 4.0.1

Version 4.0.1 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 7.2, 7.3, 8.0
CIM 4.15
Supported OS for data collection OS independent
Vendor products Cisco ASA v9.4, v9.12, v9.13
Supported Cisco ASA event message_ids 106001, 106006, 106007, 106012, 106014, 106015, 106016, 106017, 106020, 106021, 106023, 106100, 106103, 109025, 110002, 111001, 111004, 111008, 111009, 111010, 113003, 113004, 113005, 113008, 113009, 113011, 113012, 113019, 113039, 302010, 302013, 302014, 302015, 302016, 302020, 302021, 303002, 304001, 305011, 305012, 305013, 313001, 313004, 313005, 313009, 314001, 338301, 338302, 400013, 400032, 402119, 405001, 419002, 419003, 500001, 500002, 500003, 500004, 502101, 502102, 502103, 502111, 502112, 504001, 504002, 505001, 505002, 505003, 505004, 505005, 505006, 505007, 505008, 505009, 505010, 505011, 505012, 505013, 505014, 505015, 505016, 507003, 602101, 602303, 602304, 605005, 607001, 608001, 609001, 609002, 611101, 702307, 710002, 710003, 710005, 710006, 711004, 713041, 713049, 713075, 713119, 713120, 713121, 713130, 713154, 713160, 713162, 713163, 713166, 713167, 713172, 713184, 713185, 713198, 713199, 713228, 713236, 713903, 713905, 713906, 714002, 714004, 714006, 714011, 715001, 715006, 715007, 715009, 715038, 715046, 715047, 715048, 715049, 715065, 715076, 715077, 715080, 716001, 716002, 716014, 716015, 716016, 716038, 716039, 716058, 716059, 716603, 717009, 717016, 717022, 717024, 717025, 717027, 717028, 717029, 717030, 717036, 717037, 717056, 720041, 722001, 722003, 722010, 722011, 722012, 722022, 722023, 722028, 722029, 722030, 722031, 722032, 722033, 722034, 722036, 722037, 722041, 722051, 722053, 722055, 725001, 725002, 725003, 725006, 725007, 725008, 725010, 725011, 725012, 725014, 725016, 725017, 733100, 734001, 734003, 737001, 737003, 737006, 737016, 737026, 737034, 737035, 746012, 746013, 746014, 746015, 746016, 751025, 751026, 771002, 805001, 805002, 805003, 338002

Note

As of version 4.0.0 of the Splunk Add-on for Cisco ASA, Splunk does not support PIX and FWSM source types. To support this transition, version 3.4.0 will remain available for 90 days after the release of 4.0.0.

Version 4.0.0

Version 4.0.0 of the Splunk Add-on for Cisco ASA was released on April 21, 2020.

Compatibility

Version 4.0.0 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 7.2, 7.3, 8.0
CIM 4.15
Supported OS for data collection OS independent
Vendor products Cisco ASA v9.4, v9.12, v9.13
Supported Cisco ASA event message_ids 106001, 106006, 106007, 106012, 106014, 106015, 106016, 106017, 106020, 106021, 106023, 106100, 106103, 109025, 110002, 111001, 111004, 111008, 111009, 111010, 113003, 113004, 113005, 113008, 113009, 113011, 113012, 113019, 113039, 302010, 302013, 302014, 302015, 302016, 302020, 302021, 303002, 304001, 305011, 305012, 305013, 313001, 313004, 313005, 313009, 314001, 338301, 338302, 400013, 400032, 402119, 405001, 419002, 419003, 500001, 500002, 500003, 500004, 502101, 502102, 502103, 502111, 502112, 504001, 504002, 505001, 505002, 505003, 505004, 505005, 505006, 505007, 505008, 505009, 505010, 505011, 505012, 505013, 505014, 505015, 505016, 507003, 602101, 602303, 602304, 605005, 607001, 608001, 609001, 609002, 611101, 702307, 710002, 710003, 710005, 710006, 711004, 713041, 713049, 713075, 713119, 713120, 713121, 713130, 713154, 713160, 713162, 713163, 713166, 713167, 713172, 713184, 713185, 713198, 713199, 713228, 713236, 713903, 713905, 713906, 714002, 714004, 714006, 714011, 715001, 715006, 715007, 715009, 715038, 715046, 715047, 715048, 715049, 715065, 715076, 715077, 715080, 716001, 716002, 716014, 716015, 716016, 716038, 716039, 716058, 716059, 716603, 717009, 717016, 717022, 717024, 717025, 717027, 717028, 717029, 717030, 717036, 717037, 717056, 720041, 722001, 722003, 722010, 722011, 722012, 722022, 722023, 722028, 722029, 722030, 722031, 722032, 722033, 722034, 722036, 722037, 722041, 722051, 722053, 722055, 725001, 725002, 725003, 725006, 725007, 725008, 725010, 725011, 725012, 725014, 725016, 725017, 733100, 734001, 734003, 737001, 737003, 737006, 737016, 737026, 737034, 737035, 746012, 746013, 746014, 746015, 746016, 751025, 751026, 771002, 805001, 805002, 805003, 338002

Note

As of version 4.0.0 of the Splunk Add-on for Cisco ASA, Splunk does not support PIX and FWSM source types. To support this transition, version 3.4.0 will remain available for 90 days after the release of 4.0.0.

New or changed features

Version 4.0.0 of the Splunk Add-on for Cisco ASA has the following new or changed features:

  • Added segmenters.conf to let you filter timestamps from being added to the lexicon
  • Deprecated support for PIX and FWSM sourcetype and Malware datamodel
  • CIM v4.15 compatibility
  • Field extractions for supported Event IDs

Fixed issues

Version 4.0.0 of the Splunk Add-on for Cisco ASA fixes the following issues:

Known issues

Version 4.0.0 of the Splunk Add-on for Cisco ASA has the following known issues:

Third-party software attributions

Version 4.0.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 3.4.0

Version 3.4.0 of the Splunk Add-on for Cisco ASA was released on April 17, 2019.

Compatibility

Version 3.4.0 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM 4.x
Supported OS for data collection OS independent
Vendor products Cisco FWSM 3.x and 4.x, Cisco PIX 5.x and later

New or changed features

Version 3.4.0 of the Splunk Add-on for Cisco ASA has the following new or changed features:

  • Improved load balancing on the universal forwarder
  • IPV6 extractions are disabled by default

Fixed issues

Version 3.4.0 of the Splunk Add-on for Cisco ASA fixes the following issues:

Known issues

Version 3.4.0 of the Splunk Add-on for Cisco ASA has the following known issues:

Third-party software attributions

Version 3.4.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 3.3.0

Version 3.3.0 of the Splunk Add-on for Cisco ASA was released on October 12, 2017. Version 3.3.0 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 6.5.x, 6.6.x, 7.0.x, 7.1.x, 7.2.x
CIM 4.11
Platforms Platform independent
Vendor Products Cisco ASA 5500 series, Cisco FWSM 3.x and 4.x, Cisco PIX 5.x and above

Fixed issues

Version 3.3.0 of the Splunk Add-on for Cisco ASA fixes the following issues.

Known issues

Version 3.3.0 of the Splunk Add-on for Cisco ASA has the following known issues.

Third-party software attributions

Version 3.3.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 3.2.6

Version 3.2.6 of the Splunk Add-on for Cisco ASA was released on July 18, 2016. Version 3.2.6 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 5.0 and later
CIM 3.0 and later
Platforms Platform independent
Vendor Products Cisco ASA 5500 series, Cisco FWSM 3.x and 4.x, Cisco PIX 5.x and above

Fixed issues

Version 3.2.6 of the Splunk Add-on for Cisco ASA fixes the following issues.

Known issues

Version 3.2.6 of the Splunk Add-on for Cisco ASA has following known issues.

Third-party software attributions

Version 3.2.6 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 3.2.5

Version 3.2.5 of the Splunk Add-on for Cisco ASA was released on April 1, 2016. Version 3.2.5 of the Splunk Add-on for Cisco ASA is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 5.0 and above
CIM 3.0 and above
Platforms Platform independent
Vendor Products Cisco ASA 5500 series, Cisco FWSM 3.x and 4.x, Cisco PIX 5.x and above

Fixed issues

Version 3.2.5 of the Splunk Add-on for Cisco ASA fixes the following issues.

Known issues

Version 3.2.5 of the Splunk Add-on for Cisco ASA has the following known issues.

Third-party software attributions

Version 3.2.5 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 3.2.4

Version 3.2.4 of the Splunk Add-on for Cisco ASA has the same compatibility specifications as version 3.2.5.

Fixed issues

Version 3.2.4 of the Splunk Add-on for Cisco ASA fixes the following issues.

Known issues

Version 3.2.4 of the Splunk Add-on for Cisco ASA has the following known issues.

Third-party software attributions

Version 3.2.4 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 3.2.3

Version 3.2.3 of the Splunk Add-on for Cisco ASA has the same compatibility specifications as version 3.2.4.

Fixed issues

Version 3.2.3 of the Splunk Add-on for Cisco ASA fixes the following issues.

Known issues

Version 3.2.3 of the Splunk Add-on for Cisco ASA has the following known issues.

Third-party software attributions

Version 3.2.3 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 3.2.2

Version 3.2.2 of the Splunk Add-on for Cisco ASA has the same compatibility specifications as version 3.2.3.

Fixed issues

Version 3.2.2 of the Splunk Add-on for Cisco ASA fixes the following issues.

Known issues

Version 3.2.2 of the Splunk Add-on for Cisco ASA has the following known issues.

Third-party software attributions

Version 3.2.2 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 3.2.1

Version 3.2.0 of the Splunk Add-on for Cisco ASA had the same compatibility specifications as Version 3.2.2.

Fixed issues

Version 3.2.1 of the Splunk Add-on for Cisco ASA fixed the following issues.

Date Defect number Description
02/04/15 ADDON-3067 Field “action” looked up by cisco_asa_change_analysis_lookup overrides action from cisco_action_lookup.
02/04/15 ADDON-3142 Field “action” contains some duplicated values.

Known issues

Version 3.2.1 of the Splunk Add-on for Cisco ASA following known issues.

Third-party software attributions

Version 3.2.1 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 3.2.0

Version 3.2.0 of the Splunk Add-on for Cisco ASA had the same compatibility specifications as Version 3.2.2.

New features

Version 3.2.0 of the Splunk Add-on for Cisco ASA included the following new features.

Date Ticket number Description
01/06/15 ADDON-1083 Support for additional fields of the Change Analysis CIM data model.
12/10/14 ADDON-2230 Support for VPN events.
11/18/14 ADDON-2284 Support for Web events.

Fixed issues

Version 3.2.0 of the Splunk Add-on for Cisco ASA fixed the following issues.

Known issues

Version 3.2.0 of the Splunk Add-on for Cisco ASA had the following known issue.

Third-party software attributions

Version 3.2.0 of the Splunk Add-on for Cisco ASA does not incorporate any third-party software or libraries.

Version 3.1.0

Version 3.1.0 of the Splunk Add-on for Cisco ASA had the same compatibility specifications as Version 3.2.1.

New features

Version 3.1.0 of the Splunk Add-on for Cisco ASA includes the following new features:

  • Pre-built panels. (ADDON-1638)
  • Support for version 9.2 of ASA (ADDON-1146)

Fixed issues

Version 3.1.0 of the Splunk Add-on for Cisco ASA fixes the following issues:

  • ASA teardown events prevent accurate analysis of network traffic. (ADDON-1258)
  • Typo of aaa_cisco_tunnelgroup for cisco_asa_tunnelgroup in props.conf and mismatch with transforms.conf (ADDON-1498)
  • Field extraction fails for field ‘signature_id’. (ADDON-1501)
  • Regex fails to extract the field “acl” for sourcetype=”cisco:fwsm” (ADDON-1508) or for sourcetype=”cisco:pix”. (ADDON-1500).
  • Incorrect regex for field ‘icmp_type’. (ADDON-1510)
  • Regex incorrect for the field “group_policy”. (ADDON-1512)
  • Non-functional lookup file cisco_vendor_info_lookups.csv. Resolved by implementing same functionality with static fields via EVALs in props.conf. (ADDON-1514)
  • Some REPORT definitions not read into Splunk Enterprise. (ADDON-1515)
  • Transposed mappings to CIM for src and dest related fields. (ADDON-1888)
  • Search fails with fields src_id, fw_user. (ADDON-1976)
  • Incorrect field extraction for icml_type. (ADDON-1978)
  • The fields dest_translated_ip and dest_translated_port not extracted via regex. (ADDON-1979)
  • The assigned_ip field not extracted via regex. (ADDON-1980)
  • The group field not extracted via regex. (ADDON-1981)
  • The dest_domain field not extracted for Cisco ASA version 9.2. (ADDON-2031)

Known issues

Version 3.1.0 of the Splunk Add-on for Cisco ASA has the following known issues:

  • In multi-router installations, two different timestamps appear in Cisco ASA data, and the second one (after the IP address) is the correct one. (ADDON-1543)

Third-party software attributions

Version 3.1.0 of the Splunk Add-on for Cisco ASA did not incorporate any third-party software or libraries.

Version 3.0.1

Version 3.0.1 of the Splunk Add-on for Cisco ASA had the same compatibility specifications as Version 3.2.0.

New features

Version 3.0.1 of the Splunk Add-on for Cisco ASA included the following new features:

  • Vendor Class support (ADDON-1087)
  • VPN data populates in the Network Sessions CIM data model (ADDON-1082)

Fixed issues

Version 3.0.1 of the Splunk Add-on for Cisco ASA fixed the following issues:

  • eventgen host incorrectly set to localhost (ADDON-1105)
  • eventgen sample includes quotes around event (ADDON-1106)
  • add-on does not recognize “session-” in certain log outputs (ADDON-1223)

Known issues

Version 3.0.1 of the Splunk Add-on for Cisco ASA had the following known issues:

  • ASA teardown events prevent accurate analysis of network traffic. (ADDON-1258)
  • Typo of aaa_cisco_tunnelgroup for cisco_asa_tunnelgroup in props.conf and mismatch with transforms.conf (ADDON-1498)
  • Field extraction fails for field ‘signature_id’. (ADDON-1501)
  • Regex fails to extract the field “acl” for sourcetype=”cisco:fwsm” (ADDON-1508) or for sourcetype=”cisco:pix”. (ADDON-1500)
  • Incorrect regex for the field “icmp_type”. (ADDON-1510)
  • regex incorrect for the field “group_policy” (ADDON-1512)
  • Some REPORT definitions not read into Splunk Enterprise. (ADDON-1515)
  • In multi-router installations, two different timestamps appear in Cisco ASA data, and the second one (after the IP address) is the correct one. (ADDON-1593)
  • Transposed mappings to CIM for src and dest related fields. (ADDON-1888)

Third-party software attributions

Version 3.0.1 of the Splunk Add-on for Cisco ASA did not incorporate any third-party software or libraries.