6

I have a Cisco VPN (not sure exactly which hardware) whose logs are forwarded to our Splunk server. It appears the username is redacted. All I see are asterisks. Is this something that can be changed on the VPN and how? Hopefully there is enough consistency between devices that the question can be answered. Thanks!

Snip below:

IP  xx.xx.xx.xx
_raw    Jun 26 10:23:31 xx.xx.xx.xx %ASA-6-113005: AAA user authentication Rejected : reason = Invalid password : server = xx.xx.xx.xx : user = ***** : user IP = xx.xx.xx.xx   
_time   2014-06-26T10:23:31.000-0400    
app     
date_hour   10  
date_mday   26  
date_minute 23  
date_month  june    
date_second 31  
date_wday   thursday    
date_year   2014    
date_zone   local   
eventtype       
host    xx.xx.xx.xx 
ids_type        
index   main    
linecount   1   
pid     
process %ASA-6-113005   
product     
punct   __::_..._%--:_____:__=___:__=_..._:__=_*****_:___=  
reason  Invalid 
server  xx.xx.xx.xx 
source  syslog  
sourcetype  syslog  
splunk_server   xx.xx.xx    
tag::eventtype      
timeendpos  15  
timestartpos    0   
user    *****   
vendor
Ryan Foley
  • 5,479
  • 4
  • 23
  • 43
iAwardYouNoPoints
  • 163
  • 1
  • 5
  • It would help to know at least the version of code running on the device. Also, example lines could be helpful as well (sanitized naturally). Finally, are you sure this is a VPN configuration issue and not something Splunk is doing? I just checked two different logging servers (I do not have access to a Splunk server currently), and in both the usernames are present in the logs for VPN connections. – YLearn Jun 26 '14 at 17:39
  • Ok, was able to paste a snippet. Not sure if "ASA-6-113005" is helpful in determine software/hardware. Thx. – iAwardYouNoPoints Jun 26 '14 at 18:16
  • 1
    Did you check your props.conf and transforms.conf in Splunk to see if it was making these changes? Not sure if it would be anywhere else in the configuration. – YLearn Jun 26 '14 at 19:56
  • ASA-6-113005 isn't a version. It's a type ID of the particular syslog entry generated by the asa. I had the same issue and, assuming you're using ldap or radius, look at the fields you're using. Upn, cn, etc. – glallen Jun 27 '14 at 10:43

3 Answers3

4

This is a Splunk issue and not a network issue. As you can see from my Splunk log of an invalid login attempt (non-LDAP though):

Jul  5 17:55:52 firewall.local %ASA-6-113015: AAA user 
  authentication Rejected : reason = Invalid password : local database : 
  user = legioxi

It shows the username in plaintext. The syslog ID is different because I do not have LDAP configured on my lab ASA.

The answers you seek will most likely be found in the Splunk manual as it will be as YLearn mentioned, in your splunk config files

This is an explanation (cisco.com) of the syslog ID you're seeing.

some_guy_long_gone
  • 3,052
  • 1
  • 19
  • 30
2

This is a bug in Cisco ASA 9.2(2) and may not be Splunk

https://tools.cisco.com/quickview/bug/CSCur17006

powerkor
  • 21
  • 1
  • It's worth mentioning the reason behind this (which is in the link you provided). _"This is **intentional** incase a user accidentally enters their password in the username field."_ [Emphasis mine] – Ryan Foley Jul 09 '15 at 16:13
  • 'Intentional' is more like oversight in this context – powerkor Jul 10 '15 at 18:37
2

As powerkor stated, this was an intentional bug. It is also now fixed in 9.5.1, listed under Monitoring Features. Once you update to 9.5.1 you can disable hiding the username with this command:

no logging hide username

They have also added this in other firmware trains:

  • 9.2(4)
  • 9.3(3)
Chris Balmer
  • 141
  • 5