topic Re: Props/ Transforms problems - Meraki in Getting Data In

Props/ Transforms problems - Meraki

jgorman_THG — Tue, 29 Sep 2020 13:27:17 GMT

Hello everyone!

I'm trying to use props/ transforms to set a sourcetype and change the hostname of my devices. Currently they are coming in as sourcetype=syslog

My event looks like this:

Apr 3 22:37:36 10.77.265.178 1 1491277141.711671730 NAME_LOC_FW1 events Site-to-site VPN: notification INVALID-ID-INFORMATION received in informational exchange.

I want to extract "NAME_LOC_FW1" and change the sourcetype to meraki as well as change the host to "NAME_LOC_FW1"

I have the following props:

[syslog]
TRANFORMS-changesourcetypes = NAME_LOC_FW1

[syslog]
TRANSFORMS-changehost = NAME_LOC_FW1_HOST

And the following transforms:

[NAME_LOC_FW1]
Regex = (NAME_LOC_FW1)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::meraki

[NAME_LOC_FW1_HOST]
DEST_KEY = MetaData:Host
REGEX = (?)(NAME_LOC_FW1)
FORMAT = host::$1

This isn't working... Can anyone tell me what I'm doing wrong?

Also, this is implemented on a Heavy Forwarder.

Thanks a lot!

Re: Props/ Transforms problems - Meraki

gcusello — Tue, 04 Apr 2017 12:00:06 GMT

Hi jgorman_THG,
I'm not sure about your regex, try with a different one, something like this

\w+\s\d+\s\d+:\d+:\d+\s\d+\.\d+\.\d+\.\d+\s\d+\s\d+\.\d+\s(?<host>[^ ]*)

you can try it on https://regex101.com/r/g9PJJD/1

Bye.
Giuseppe

Re: Props/ Transforms problems - Meraki

jgorman_THG — Tue, 04 Apr 2017 13:38:16 GMT

Hi Guiseppe!

That didn't seem to work... I agree though, it's probably a regex problem. I'm not super strong in regex...

Re: Props/ Transforms problems - Meraki

gcusello — Tue, 04 Apr 2017 16:13:21 GMT

go in regex101.com and insert your log and my regex and verify if it's correct, maybe there's something different in your production logs.
Using the one you inserted in this question the regex is correct.
Bye.
Giuseppe

Re: Props/ Transforms problems - Meraki

DalJeanis — Tue, 29 Sep 2020 13:27:31 GMT

Assuming that the value in the _raw is literally NAME_LOC_FW1 and you literally want the literal NAME_LOC_FW1 as your hostname...

 ### props.conf
[syslog]
TRANFORMS-fw1 = NAME_LOC_FW1,NAME_LOC_FW1_HOST

##transforms.conf     
[NAME_LOC_FW1]
Regex = (NAME_LOC_FW1)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::meraki

[NAME_LOC_FW1_HOST]
DEST_KEY = MetaData:Host
REGEX = (NAME_LOC_FW1)
FORMAT = NAME_LOC_FW1

Warning - those stanzas will redirect any event that has that literal anywhere in the event. If that is not the behavior that you would like, then the regex should be made more specific.

Re: Props/ Transforms problems - Meraki

myron_davis — Thu, 31 Aug 2017 22:29:37 GMT

What about configuring meraki to send on a different port than 514 and just force all incoming data on that port to type meraki?