Solved: Re: CISCO_ESA

cesca · ‎02-05-2013

Hi,

Hi, I have installed the Splunk_CiscoSecuritySuite and the Splunk_CiscoIronportEmailSecurity.

The problem is that I'm not getting any data with the sourcetype=cisco_esa, I have the following in the inputs.conf:

[udp://514] #regular syslog

disabled = false

sourcetype = syslog

connection_host = dns

[udp://192.168.1.200:514] #ironport syslog

disabled = false

host = 192.168.1.200

sourcetype = cisco_esa

connection_host = dns

However, data from host 192.168.1.200 is being indexed with the [udp://514] index and not the [udp://192.168.1.200:514].

What do I have to change to have it recorded with the sourcetype=cisco_esa?

Thanks a lot,
-- Xavier

sdaniels · ‎02-06-2013

See below from inputs.conf, the first stanza is going to pick it up since the remote server is empty and only one stanza per port number is currently supported. You could override the sourcetype on a per event basis using regex. See this link - http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides

You could also change the port number.

[udp://:]
* Similar to TCP, except that it listens on a UDP port.
* Only one stanza per port number is currently supported.
* Configure Splunk to listen on a specific port.
* If is specified, the specified port will only accept data from that server.
* If is empty - [udp://] - the port will accept data sent from any server.
* Will generate events with source set to udp:portnumber, for example: udp:514
* If sourcetype is unspecified, will generate events with set sourcetype to udp:portnumber

View solution in original post

sdaniels · ‎02-06-2013

See below from inputs.conf, the first stanza is going to pick it up since the remote server is empty and only one stanza per port number is currently supported. You could override the sourcetype on a per event basis using regex. See this link - http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides

You could also change the port number.

[udp://:]
* Similar to TCP, except that it listens on a UDP port.
* Only one stanza per port number is currently supported.
* Configure Splunk to listen on a specific port.
* If is specified, the specified port will only accept data from that server.
* If is empty - [udp://] - the port will accept data sent from any server.
* Will generate events with source set to udp:portnumber, for example: udp:514
* If sourcetype is unspecified, will generate events with set sourcetype to udp:portnumber

cesca · ‎02-07-2013

Hi,

It works like a charm ! I didn't know that only one stanza per port number was currently supported, I expected it to take the most specific.

I've followed the examples and I've done it like this:

transforms.conf:

[cisco_esa_parser]
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?).\w+\s+)[?(MachineName)[\w.-]]?\s
FORMAT = sourcetype::cisco_esa
DEST_KEY = MetaData:Sourcetype

props.conf:

[source::udp:514]
TRANSFORMS-changesourcetype = cisco_esa_parser

Thanks for your help,

-- Xavier

CISCO_ESA

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation