All Apps and Add-ons

Splunk Add-on for Cisco ASA: How to edit my configurations to filter events I do not want in local files?

TheFrunkster
Explorer

This seems to be a common and easy problem to resolve, but I can't seem to get to the right answer.

Recently I installed the "Splunk Add-on for Cisco ASA" in my environment's indexers and search heads. Data from several syslog sources is received by my universal forwarder and sent over to my indexers.

The ASA data is coming in as sourcetype syslog. The add-on's default props.conf and transforms.conf take care of renaming the sourcetype to cisco:asa.

This is the relevant section of the add-on's default props.conf file:

[syslog]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_
for_cisco_fwsm

[cisco:asa]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 30
SHOULD_LINEMERGE = false
KV_MODE = auto

Relevant section of the default transforms.conf file:

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = %ASA-\d-\d{6}
FORMAT = sourcetype::cisco:asa

The configuration shown above works fine. However, when I apply filtering of events I do not want in the local files, they do not work.

Local props.conf file:

[cisco:asa]
TRANSFORMS-ASA_filters= removeDNS

Local transforms.conf file:

[removeDNS]
REGEX = [/(]53[)\s]
DEST_KEY = queue
FORMAT = nullQueue

I have used configurations similar to these before. I just can't explain why the filtering does not happen. I can only think the sourcetype is still syslog when the filter needs to be applied.

Any help on this issue will be extremely appreciated.

Regards,
Frunkster

1 Solution

beatus
Communicator

TheFrunkster,

I suspect you have to do your filtering at the syslog sourcetype, before the sourcetype rename. I'd recommend making the regex for [removeDNS] a bit more specific to the ASA logs then migrate the TRANSFORMS to [syslog].

View solution in original post

beatus
Communicator

TheFrunkster,

I suspect you have to do your filtering at the syslog sourcetype, before the sourcetype rename. I'd recommend making the regex for [removeDNS] a bit more specific to the ASA logs then migrate the TRANSFORMS to [syslog].

bwooden
Splunk Employee
Splunk Employee

Beatus is right. Your sourcetype is transforming after the nullQueue routing. You should be able to resolve by making the nullQueue routing regex more specific and moving it to the source stanza in props. Something like this...

transforms.conf

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = %ASA-\d-\d{6}
FORMAT = sourcetype::cisco:asa

[removeDNS]
REGEX = %ASA-\d-\d{6}.*[/(]53[)\s]
DEST_KEY = queue
FORMAT = nullQueue

props.conf

[syslog]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
TRANSFORMS-asa_toss_dns = removeDNS

[cisco:asa]
KV_MODE = auto

TheFrunkster
Explorer

I know it has been a while since this answer was posted. The issue was as I suspected and as you guys answered. But I wanted to let you guys know that it worked like charm. Thanks very much for your help regarding this issue.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@TheFrunkster - Glad to hear that the help provided by beatus and bwooden helped resolve this issue. Please don't forget to resolve this post by clicking "Accept" and upvoting anything that was helpful to you.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...