<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Forwarding to syslog stream in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Forwarding-to-syslog-stream/m-p/117656#M24472</link>
    <description>&lt;P&gt;Hi MHibbin&lt;/P&gt;

&lt;P&gt;try to step back to a more basic setup like in the docs and change it to match the examples. Try it with &lt;CODE&gt;host::1*&lt;/CODE&gt; for example, instead of of source type.&lt;/P&gt;

&lt;P&gt;hope this helps ...&lt;/P&gt;

&lt;P&gt;cheers, MuS &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt;&lt;/P&gt;</description>
    <pubDate>Mon, 28 Oct 2013 12:49:57 GMT</pubDate>
    <dc:creator>MuS</dc:creator>
    <dc:date>2013-10-28T12:49:57Z</dc:date>
    <item>
      <title>Forwarding to syslog stream</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Forwarding-to-syslog-stream/m-p/117655#M24471</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;I've configured Splunk to forward data to a third party system we use.&lt;/P&gt;

&lt;P&gt;I can see on the packet captures that the traffic is being sent to the host, however, I am seeing more data than I would like going to this host. I would only like our ASA traffic to go to this host, however, I am seeing all sorts of data being sent. I was not expecting this based on the following configuration files:&lt;/P&gt;

&lt;P&gt;outputs.conf -&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[syslog]
defaultGroup = syslog_out

[syslog:syslog_out]
server=1.2.3.4:514
type=udp
priority = NO_PRI
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;props.conf - &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[cisco_asa]
TRANSFORMS-routing=syslog_routing
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;transforms.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[syslog_routing]
REGEX="^[^\%]+\%ASA"
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslog_out
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;N.B: the regex is there as I thought it might be an issue with just using "&lt;CODE&gt;.&lt;/CODE&gt;" for the "cisco_asa" sourcetype (not that it should matter).&lt;/P&gt;

&lt;P&gt;I've clearly missed something here, so any help would be grateful.&lt;/P&gt;

&lt;P&gt;Thanks,&lt;/P&gt;

&lt;P&gt;mhibbin&lt;/P&gt;</description>
      <pubDate>Mon, 28 Oct 2013 11:05:08 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Forwarding-to-syslog-stream/m-p/117655#M24471</guid>
      <dc:creator>MHibbin</dc:creator>
      <dc:date>2013-10-28T11:05:08Z</dc:date>
    </item>
    <item>
      <title>Re: Forwarding to syslog stream</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Forwarding-to-syslog-stream/m-p/117656#M24472</link>
      <description>&lt;P&gt;Hi MHibbin&lt;/P&gt;

&lt;P&gt;try to step back to a more basic setup like in the docs and change it to match the examples. Try it with &lt;CODE&gt;host::1*&lt;/CODE&gt; for example, instead of of source type.&lt;/P&gt;

&lt;P&gt;hope this helps ...&lt;/P&gt;

&lt;P&gt;cheers, MuS &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 28 Oct 2013 12:49:57 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Forwarding-to-syslog-stream/m-p/117656#M24472</guid>
      <dc:creator>MuS</dc:creator>
      <dc:date>2013-10-28T12:49:57Z</dc:date>
    </item>
    <item>
      <title>Re: Forwarding to syslog stream</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Forwarding-to-syslog-stream/m-p/117657#M24473</link>
      <description>&lt;P&gt;Don't set the defaultGroup parameter. You only want to send syslog when the transform matches.&lt;/P&gt;</description>
      <pubDate>Mon, 28 Oct 2013 13:16:30 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Forwarding-to-syslog-stream/m-p/117657#M24473</guid>
      <dc:creator>datasearchninja</dc:creator>
      <dc:date>2013-10-28T13:16:30Z</dc:date>
    </item>
  </channel>
</rss>

