topic Re: SourceTypes Not Recognized in Getting Data In

SourceTypes Not Recognized

vragosta — Fri, 01 Mar 2013 16:02:38 GMT

We have some Cisco ASAs logging to Splunk over port 514/UDP, and they are being received fine. But, there is something odd that has been bothering me. The source of all of these logs is still recorded as udp:514 instead of cisco:asa as I would expect.

Can anyone enlighten me as to why this may be?

Thanks!

Re: SourceTypes Not Recognized

yannK — Fri, 01 Mar 2013 16:36:19 GMT

Do not mistake source and sourcetype. The source is where the events come from, the sourcetype define the format and purpose.

with an input like
[udp://514] sourcetype=cisco:asa
the source will be udp:514
if you need to change the source you can add, source=cicso:asa

Re: SourceTypes Not Recognized

vragosta — Fri, 01 Mar 2013 16:38:53 GMT

Yes, my mistake. I meant it is detecting the sourcetype improperly. We actually have pix, fwsm, and asa logs all being sent to 514/UDP. However, only the asa logs do not appear with an expected sourcetype. They are recorded with a sourcetype of udp:514 instead of cisco:asa.

Thanks!

Re: SourceTypes Not Recognized

vragosta — Fri, 01 Mar 2013 17:17:25 GMT

It looks like someone was fiddling with the transforms.conf file, which caused the asa logs to be classified incorrectly. After changing the regex back to it's original value, everything appears to be working as expected now.

Thanks!