https://community.splunk.com/t5/Getting-Data-In/UDP-514-Syslog-Using-transform-with-Cisco-IronPort-logs/m-p/83791#M97141 <P>Try this I use it for multi device inputs that go to the same port. Put it in the ect\system\local directory, should work for both TCP and UDP</P> <P>input.conf</P> <PRE><CODE> #UDP:514 multidevise input [udp://514] connection_host = ip index = syslog </CODE></PRE> <P>props.conf</P> <PRE><CODE>#UPD514 device split [source::udp:514] MAX_TIMESTAMP_LOOKAHEAD = 20 NO_BINARY_CHECK = 1 TRANSFORMS-changesourcetype = WTI_st, as400FISERV_st, as400COMPASS_st, CiscoBrRt_st, Cisco_IronPort_St </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>#Ironport Email [Cisco-IronPort_st] REGEX = 111\.x\.x\.x|111\.x\.x\.x SOURCE_KEY = MetaData:Host FORMAT = sourcetype::Cisco-IronPort DEST_KEY = MetaData:Sourcetype #bryans power management equipment [WTI_st] REGEX = 111\.x\.x\.x|111\.x\.x\.x SOURCE_KEY = MetaData:Host FORMAT = sourcetype::WTI DEST_KEY = MetaData:Sourcetype [as400FISERV_st] REGEX = 111\.x\.x\.x SOURCE_KEY = MetaData:Host FORMAT = sourcetype::as400FISERV DEST_KEY = MetaData:Sourcetype </CODE></PRE> Wed, 04 Mar 2015 21:31:39 GMT jarjoh42 2015-03-04T21:31:39Z https://community.splunk.com/t5/Getting-Data-In/UDP-514-Syslog-Using-transform-with-Cisco-IronPort-logs/m-p/83789#M97139 <P>Trying to transform syslog data arriving over UDP 514 into either <CODE>cisco_asa</CODE> or <CODE>cisco_wsa_squid</CODE>.<BR /><BR /> The asa logs work find and transform as I expect, but the ironport logs do not - they remain as syslog. </P> <P>transforms.conf file </P><HR /><P></P> <PRE><CODE>[syslog-Cisco_IronPort] DEST_KEY = MetaData:Sourcetype REGEX=src=xxx\.xx\.33\.113 FORMAT = sourcetype::cisco\_wsa\_squid DEST\_KEY = MetaData:Sourcetype [syslog-Cisco_ASA] DEST\_KEY = MetaData:Sourcetype REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(xxx.xx.1.132)[\w\.\-]{2,})\]?\s FORMAT = sourcetype::cisco\_asa DEST\_KEY = MetaData:Sourcetype </CODE></PRE> <P></P><HR /><BR /> props.conf file<BR /><BR /> <HR /><P></P> <PRE><CODE>[source::udp:514] TRANSFORMS-CHANGESOURCETYPES = syslog-Cisco\_ASA,syslog-Cisco\_IronPort </CODE></PRE> <P></P><HR /><P></P> <P>Thank you in advance ...</P> Wed, 03 Apr 2013 20:07:05 GMT https://community.splunk.com/t5/Getting-Data-In/UDP-514-Syslog-Using-transform-with-Cisco-IronPort-logs/m-p/83789#M97139 rroatman 2013-04-03T20:07:05Z https://community.splunk.com/t5/Getting-Data-In/UDP-514-Syslog-Using-transform-with-Cisco-IronPort-logs/m-p/83790#M97140 <P>Please use the formatting tools (especially <CODE>code</CODE>) when typing config stuff. Regexes tend to get mangled by the input sanitation in the forum software.</P> <P>Assuming that your backslashes in the confs are not really there - apart from the regexes - and that the x's are just your obfuscation, the only 'problem' I see is that you have duplicated the DEST_KEY in both transforms stanzas. You only need one in each.</P> <P>Other than that - are you sure that your regex for IronPort matches your events. It sure looks simple enough, but...</P> Thu, 04 Apr 2013 07:16:07 GMT https://community.splunk.com/t5/Getting-Data-In/UDP-514-Syslog-Using-transform-with-Cisco-IronPort-logs/m-p/83790#M97140 kristian_kolb 2013-04-04T07:16:07Z https://community.splunk.com/t5/Getting-Data-In/UDP-514-Syslog-Using-transform-with-Cisco-IronPort-logs/m-p/83791#M97141 <P>Try this I use it for multi device inputs that go to the same port. Put it in the ect\system\local directory, should work for both TCP and UDP</P> <P>input.conf</P> <PRE><CODE> #UDP:514 multidevise input [udp://514] connection_host = ip index = syslog </CODE></PRE> <P>props.conf</P> <PRE><CODE>#UPD514 device split [source::udp:514] MAX_TIMESTAMP_LOOKAHEAD = 20 NO_BINARY_CHECK = 1 TRANSFORMS-changesourcetype = WTI_st, as400FISERV_st, as400COMPASS_st, CiscoBrRt_st, Cisco_IronPort_St </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>#Ironport Email [Cisco-IronPort_st] REGEX = 111\.x\.x\.x|111\.x\.x\.x SOURCE_KEY = MetaData:Host FORMAT = sourcetype::Cisco-IronPort DEST_KEY = MetaData:Sourcetype #bryans power management equipment [WTI_st] REGEX = 111\.x\.x\.x|111\.x\.x\.x SOURCE_KEY = MetaData:Host FORMAT = sourcetype::WTI DEST_KEY = MetaData:Sourcetype [as400FISERV_st] REGEX = 111\.x\.x\.x SOURCE_KEY = MetaData:Host FORMAT = sourcetype::as400FISERV DEST_KEY = MetaData:Sourcetype </CODE></PRE> Wed, 04 Mar 2015 21:31:39 GMT https://community.splunk.com/t5/Getting-Data-In/UDP-514-Syslog-Using-transform-with-Cisco-IronPort-logs/m-p/83791#M97141 jarjoh42 2015-03-04T21:31:39Z