https://community.splunk.com/t5/Getting-Data-In/Need-help-filtering-Cisco-ASA-Logs-at-index-time/m-p/63602#M12779 <P>Anything guys?</P> Mon, 06 Feb 2012 16:57:53 GMT balbano 2012-02-06T16:57:53Z https://community.splunk.com/t5/Getting-Data-In/Need-help-filtering-Cisco-ASA-Logs-at-index-time/m-p/63601#M12778 <P>Hey Guys, </P> <P>I am trying to understand how the props.conf and transforms.conf work when manipulating/filtering data. </P> <P>In a very simple way, let me explain what I need done. </P> <P>Problem: I have Cisco ASA Logs sent to this syslog-ng server. </P> <P>I would like to setup a monitor point on the folder containing the logs. However, I want to exclude the following events from getting indexed: </P> <PRE><CODE>ASA-6-302016 ASA-6-302015 ASA-7-609001 ASA-7-609002 ASA-6-302013 ASA-6-302014 ASA-6-302020 ASA-6-302021 ASA-6-305012 ASA-6-305011 </CODE></PRE> <P>Everything else other than this I would like to index to a certain specified index. </P> <P>Can someone tell me from start to finish how I would do this as for as specifying the monitor path to get indexed and the appropriate props.conf/transforms.conf configuration specifications that are needed. </P> <P>The documentation is a little tricky for me to understand so maybe an example will make me understand better. </P> <P>Appreciate any help you can provide. </P> <P>Thanks. </P> <P>Brian</P> Thu, 02 Feb 2012 18:22:08 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-filtering-Cisco-ASA-Logs-at-index-time/m-p/63601#M12778 balbano 2012-02-02T18:22:08Z https://community.splunk.com/t5/Getting-Data-In/Need-help-filtering-Cisco-ASA-Logs-at-index-time/m-p/63602#M12779 <P>Anything guys?</P> Mon, 06 Feb 2012 16:57:53 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-filtering-Cisco-ASA-Logs-at-index-time/m-p/63602#M12779 balbano 2012-02-06T16:57:53Z https://community.splunk.com/t5/Getting-Data-In/Need-help-filtering-Cisco-ASA-Logs-at-index-time/m-p/63603#M12780 <PRE><CODE> props.conf [yoursourcetype] TRANSFORMS-null = setnull transforms.conf [setnull] REGEX = ASA-[67]-(302016|302015|609001|609002|302013|302014|302020|302021|305012|305011) DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> Mon, 06 Feb 2012 21:33:05 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-filtering-Cisco-ASA-Logs-at-index-time/m-p/63603#M12780 jbsplunk 2012-02-06T21:33:05Z https://community.splunk.com/t5/Getting-Data-In/Need-help-filtering-Cisco-ASA-Logs-at-index-time/m-p/63604#M12781 <P>Thank You!!!</P> Mon, 06 Feb 2012 21:46:35 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-filtering-Cisco-ASA-Logs-at-index-time/m-p/63604#M12781 balbano 2012-02-06T21:46:35Z https://community.splunk.com/t5/Getting-Data-In/Need-help-filtering-Cisco-ASA-Logs-at-index-time/m-p/63605#M12782 <P>glad to help!</P> Mon, 06 Feb 2012 21:50:22 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-filtering-Cisco-ASA-Logs-at-index-time/m-p/63605#M12782 jbsplunk 2012-02-06T21:50:22Z https://community.splunk.com/t5/Getting-Data-In/Need-help-filtering-Cisco-ASA-Logs-at-index-time/m-p/63606#M12783 <P>your regex will fail with the 8.4+ ASA (need to verify actual revs), it comes in with %ASA-session- in it,<BR /> see <A href="http://splunk-base.splunk.com//answers/42936/cisco-asa-logging-format-change">http://splunk-base.splunk.com//answers/42936/cisco-asa-logging-format-change</A></P> <P>so you you might modify the regex to be<BR /> %ASA-(session-)?[67]-(code|code|code|code)<BR /> or<BR /> %ASA-(\w+-)?[67]-(code|code|code|code)</P> Fri, 16 Mar 2012 22:35:30 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-filtering-Cisco-ASA-Logs-at-index-time/m-p/63606#M12783 cvajs 2012-03-16T22:35:30Z https://community.splunk.com/t5/Getting-Data-In/Need-help-filtering-Cisco-ASA-Logs-at-index-time/m-p/63607#M12784 <P>sorry, once again this forum code is a pita and takes a single \ as a special char.</P> <P>it should be <BR /> %ASA-(\w+-)?[67]-(code|code|code|code)</P> Mon, 19 Mar 2012 12:58:51 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-filtering-Cisco-ASA-Logs-at-index-time/m-p/63607#M12784 cvajs 2012-03-19T12:58:51Z https://community.splunk.com/t5/Getting-Data-In/Need-help-filtering-Cisco-ASA-Logs-at-index-time/m-p/63608#M12785 <P>or - better yet, why not save yourself the unnecessary log traffic and load on the ASA anyway and just turn those message numbers off at the source.</P> <P>ex&gt;<BR /> asa-firewall# conf t</P> <P>asa-firewall(conf)# no logging message 302016</P> <P>asa-firewall(conf)# no logging message 302015</P> <P>etc.</P> <P>-Chris</P> Mon, 25 Mar 2013 22:07:22 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-filtering-Cisco-ASA-Logs-at-index-time/m-p/63608#M12785 chris_moody 2013-03-25T22:07:22Z