https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Firewall-Add-on/m-p/95051#M6463 <P>Yes, that is correct, with the slashes and I did restart Splunk.</P> Fri, 16 Mar 2012 21:45:01 GMT ahammond 2012-03-16T21:45:01Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Firewall-Add-on/m-p/95048#M6460 <P>Have Security Suite and Firewall addon installed, ASA sending syslog to UDP:514 with sourcetype blank. Default Transform for source type not working, source type is being set to udp:514 not cisco_firewall or cisco_asa</P> <P>Mar 16 17:35:33 10.0.10.1 :%ASA-session-4-106023: Deny udp src</P> <P>Have added /local/transforms.conf</P> <P>[force_sourcetype_for_cisco_asa]<BR /> DEST_KEY = MetaData:Sourcetype<BR /> REGEX = %ASA-\w+-\w+<BR /> FORMAT = sourcetype::cisco_asa</P> <P>Why are default transforms not working?</P> Mon, 28 Sep 2020 11:31:55 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Firewall-Add-on/m-p/95048#M6460 ahammond 2020-09-28T11:31:55Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Firewall-Add-on/m-p/95049#M6461 <P>the REGEX above is incorrect, you used "w" instead of regex char class "\w"<BR /> change your regex to be %ASA-\w+-\w+-<BR /> (or maybe the slash just didnt show up in your post because this forum code takes a single slash as a special char??)</P> <P>you could "normalize" the event info by using a SEDCMD in default props for this source definition and replace ":%ASA-session" with "%ASA". see if this helps the app find the data you need, etc.</P> <P>EDIT - i believe there are other posts about this issue.<BR /> see this post, should fix the problem<BR /> <A href="http://splunk-base.splunk.com//answers/42936/cisco-asa-logging-format-change">http://splunk-base.splunk.com//answers/42936/cisco-asa-logging-format-change</A></P> Fri, 16 Mar 2012 21:24:39 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Firewall-Add-on/m-p/95049#M6461 cvajs 2012-03-16T21:24:39Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Firewall-Add-on/m-p/95050#M6462 <P>You did restart Splunk after that change? Also, I'm assuming this is just due to the formatting on answers.splunk.com, but, you did put "%ASA-\w+-\w+" correct? Not without the slashes?</P> Fri, 16 Mar 2012 21:39:24 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Firewall-Add-on/m-p/95050#M6462 tmeader 2012-03-16T21:39:24Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Firewall-Add-on/m-p/95051#M6463 <P>Yes, that is correct, with the slashes and I did restart Splunk.</P> Fri, 16 Mar 2012 21:45:01 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Firewall-Add-on/m-p/95051#M6463 ahammond 2012-03-16T21:45:01Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Firewall-Add-on/m-p/95052#M6464 <P>Hmm, not sure what to tell you. That overloaded REGEX for force_sourcetype_for_cisco_asa will DEFINITELY match the new format. You aren't using a distributed environment at all are you? Separate indexer and search head? If by chance you are, these changes will need to be made on the indexer, since that where the sourcetype metadata is written. Also, just to be clear, you added that under the [ciscoapp]/local directory right? Not under /etc/system/local?</P> Mon, 28 Sep 2020 11:32:05 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Firewall-Add-on/m-p/95052#M6464 tmeader 2020-09-28T11:32:05Z