Spelunking the caves :: Cisco ASA REST API

For one of my projects we need to extract realtime data from Cisco ASA firewalls. Cisco already provides a REST agent for ASA Firewalls since 2014-ish. The REST agent provided a mean to make CRUD operations (Change, Read, Update and Delete), but will not be your explicit way of access. Other programs like SSH or ASDM will still be available and provide a way of changing the configuration. Also bare in mind that the REST API will gain access to the running configuration. You’ll need to provide an additional way of writing to the startup configuration.

This post is going to dive into the initial setup and test extractions in Splunk with the Add-on Builder. With this app we can create a Technology-addon and create new data inputs with Event extractions.  In the resources section below I’ve sum up the collected resources.

:: Setup

To fully focus on what we want to achieve I’ve made a simple but effective setup. See the diagram below:

Cisco ASAv 9.5.2-204
CentOS Linux8.0
Splunk Enterprise Evaluation8.0.4.1
Splunk Common Information Model (CIM)4.16.0
Splunk Add-on Builder3.0.1
Cisco ASA REST API agent7141-lfbff-k8

:: Prepare Cisco ASA

To enable the REST agent you will need to have some configuration in place. In our setup we have a test ASAv with limited configuration and local authentication. In most cases production setups normally use tacacs/radius authentication and authorization. The REST authentication needs to be adjusted in order to use the correct authc/authz method. Also ASAv has the agent built into the Boot: partition, but let’s pretend we have a regular hardware ASA.

First you will need to upload the REST agent package. You can find this in the download section of the Cisco ASA firewall section. The filename somewhat reflect the following format: asa-restapi-{version}-lfbff-k8.SPA.

Some details to consider:

  • Installation Multiple context: Install on admin context
  • Installation on Single context (our case): Install on ASA directly

Transfer the package to your ASA via TFTP, SCP, SFTP or FTP. You can also use ASDM and the file manager to make it more easier to transfer files to the local file system.

http server enable
http management
! >> For only GET operations Priv 5 is sufficient. For GET, PUT and DELETE operations Priv 15 is needed
username restapi password test1234 privilege 5
aaa authentication http console LOCAL
! >> Ensure correct routing towards the Splunk server. In our case we have the management interface and Splunk server in the same subnet for simplicity. No need for a route.
! route {interface} x.x.x.x y.y.y.y.y {next-hop}
! >> Install Rest API agent
rest-api image disk0:asa-restapi-7141-lfbff-k8.SPA
! Enable REST api agent
rest-api agent

:: Verify

Check if the agent is installed correctly.

Go to URL:

The following should appear after login:


API documentation is included in the agent:

This overview shows you to which objects you have access to and what attributed are available

:: Splunk and the addon builder

There are a few thing you need to keep in mind as it come to data collection for network devices:

  • Install Splunk eval
  • Install Splunk Common Information Model
  • Install Cisco ASA Technology add-on
  • Install Splunk add-on builder

Never install the addon builder on distributed production setups. You must develop a TA in the standalone test environment, validate it and transfer the TA to the production environment.

This would provide you with sufficient field extractions and data models to get started immediately as it come to Network data.

Now back to the add-on builder…

Go to the SPlunk Add-on Builder app and choose “new add-on”
Fill in the fields to reflect the purpose for your add-on. Choose a wise Collection Interval.
Very Important: To enable basic authentication add “Global Account” to the input parameter field.
Fill in the URL you want to scrape and enable Basic Authentication. The Global Account can be setup in the next screenshot.
Add your credentials for REST API operations
Hit the test button to start getting some interface data

Click Save and Finish

The app should appear in the Splunk App list now.

Go to created App:

Select Configurations and setup your REST api account:

I’ve included the error message so you can see to which field format you need to stick to.

Go to Inputs and “Create new Input”

I’ve included the error message so you can see to which field format you need to stick to.

Restart SplunkWeb via Webgui or

Initiate from CLI:

[root@SPLK-01 /]# cd /opt/splunk/bin
[root@SPLK-01 bin]# ./splunk restart
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
..                                                         [  OK  ]
Stopping splunk helpers...
                                                           [  OK  ]

Splunk> Finding your faults, just like mom.

Checking prerequisites...
        Checking http port [8000]: open
        Checking mgmt port [8089]: open
        Checking appserver port []: open
        Checking kvstore port [8191]: open
        Checking configuration... Done.
        Checking critical directories...        Done
        Checking indexes...
                Validated: _audit _internal _introspection _metrics _metrics_rollup _telemetry _thefishbucket add_on_builder_index cim_modactions hi                           story main summary
        Checking filesystem compatibility...  Done
        Checking conf files for problems...
        Checking default conf files for edits...
        Validating installed files against hashes from '/opt/splunk/splunk-'
        All installed files intact.
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
                                                           [  OK  ]

Waiting for web server at to be available........................ Done

If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com

The Splunk web interface is at http://SPLK-01.testlab.local:8000

After restart go to the Search and Reporting app and enter “sourcetype=”cisco:asa:rest”” as your search to see the results.

Bare in mind that the TA app will initiate data collection every 3600 seconds as you have configured.

:: Wrap up

This is the most simple way to get REST GET information inside Splunk. There still can be a requirement to format the data more to your needs by filtering out unnecessary data fields. Just keep it simple. I might add some more examples in the future to complement this post.

:: Resources

Leave a Reply