All Apps and Add-ons

How to configure props.conf and transforms.conf for the Splunk Add-on for Cisco ESA?

asofo
Path Finder

I've just installed the Splunk Add-on for Cisco ESA and looking to have the correct sourcetypes and field extractions. Am I simply appending my C:\Program Files\Splunk\etc\system\local\ props and transforms with what is contained in the C:\Program Files\Splunk\etc\apps\Splunk_TA_cisco-esa\default props and transforms files?

1 Solution

dtregonning_spl
Splunk Employee
Splunk Employee

Hi asofo,
Details of Configuration File precedence can be found here:
http://docs.splunk.com/Documentation/Splunk/6.3.3/Admin/Wheretofindtheconfigurationfiles

You can extend the props.conf and tranforms.conf files at:

C:\Program Files\Splunk\etc\apps\Splunk_TA_cisco-esa\local

or

 C:\Program Files\Splunk\etc\system\local\

Depending on the context of your installation either may be preferred.
Don

View solution in original post

dtregonning_spl
Splunk Employee
Splunk Employee

Hi asofo,
Details of Configuration File precedence can be found here:
http://docs.splunk.com/Documentation/Splunk/6.3.3/Admin/Wheretofindtheconfigurationfiles

You can extend the props.conf and tranforms.conf files at:

C:\Program Files\Splunk\etc\apps\Splunk_TA_cisco-esa\local

or

 C:\Program Files\Splunk\etc\system\local\

Depending on the context of your installation either may be preferred.
Don

View solution in original post

asofo
Path Finder

Hi, I've tried both of the above methods and I'm still receiving the syslog data as sourcetype syslog with no fields. I have to be missing a step. Here's what I have done:

• Our Messaging Team configured the IronPort to send mail_logs to our indexer via syslog.
• I installed the Splunk Add-on for Cisco ESA.
• Added the all stanzas contained in the props.conf and transforms.conf C:\Program Files\Splunk\etc\apps\Splunk_TA_cisco-esa\default to the props.conf and transforms.conf located in C:\Program Files\Splunk\etc\system\local.
• Restarted Splunk.

0 Karma

dtregonning_spl
Splunk Employee
Splunk Employee

Hi asofo,

As part of the Add on for Cisco ESA there should be a bundled sourcetype "cisco:esa:textmail".
if you can ensure your input is configured for this sourcetype the fields should be extracted for you automatically.

Check what sourcetype your specific data input is set to. This can be achieved in Splunk Web by navigating to Settings -> Data -> Data Inputs.

If you would like to modify via .conf files. The inputs.conf file should have the settings you need to modify to get things set up.

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

Let me know how you go.
Don

asofo
Path Finder

Hi,

Thanks for your help. I had been setting it to the wrong sourcetype, cisco:esa, which was renaming it to cisco:esa:legacy and in turn using a different set of field extractions. This is why none of the panels in the Cisco Security Suite were populating data. I got it going by adding the stanza to my props.conf file to set the sourcetype as cisco:esa:textmail :

[host::Host-IP-Address]
TRANSFORMS-changesourcetype = cisco_esa_textmail_sourcetype

and then added this stanza to my transforms.conf file:

[cisco_esa_textmail_sourcetype]
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?).\w+\s+)[?(Host-IP-Address)[\w.-]]?\s
FORMAT = sourcetype::cisco:esa:textmail
DEST_KEY = MetaData:Sourcetype

Thanks again!

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.