All Apps and Add-ons

Splunk Add-on for Cisco ASA: How to edit my configurations to filter events I do not want in local files?

Explorer

This seems to be a common and easy problem to resolve, but I can't seem to get to the right answer.

Recently I installed the "Splunk Add-on for Cisco ASA" in my environment's indexers and search heads. Data from several syslog sources is received by my universal forwarder and sent over to my indexers.

The ASA data is coming in as sourcetype syslog. The add-on's default props.conf and transforms.conf take care of renaming the sourcetype to cisco:asa.

This is the relevant section of the add-on's default props.conf file:

[syslog]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_
for_cisco_fwsm

[cisco:asa]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 30
SHOULD_LINEMERGE = false
KV_MODE = auto

Relevant section of the default transforms.conf file:

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = %ASA-\d-\d{6}
FORMAT = sourcetype::cisco:asa

The configuration shown above works fine. However, when I apply filtering of events I do not want in the local files, they do not work.

Local props.conf file:

[cisco:asa]
TRANSFORMS-ASA_filters= removeDNS

Local transforms.conf file:

[removeDNS]
REGEX = [/(]53[)\s]
DEST_KEY = queue
FORMAT = nullQueue

I have used configurations similar to these before. I just can't explain why the filtering does not happen. I can only think the sourcetype is still syslog when the filter needs to be applied.

Any help on this issue will be extremely appreciated.

Regards,
Frunkster

1 Solution

SplunkTrust
SplunkTrust

TheFrunkster,

I suspect you have to do your filtering at the syslog sourcetype, before the sourcetype rename. I'd recommend making the regex for [removeDNS] a bit more specific to the ASA logs then migrate the TRANSFORMS to [syslog].

View solution in original post

SplunkTrust
SplunkTrust

TheFrunkster,

I suspect you have to do your filtering at the syslog sourcetype, before the sourcetype rename. I'd recommend making the regex for [removeDNS] a bit more specific to the ASA logs then migrate the TRANSFORMS to [syslog].

View solution in original post

Splunk Employee
Splunk Employee

Beatus is right. Your sourcetype is transforming after the nullQueue routing. You should be able to resolve by making the nullQueue routing regex more specific and moving it to the source stanza in props. Something like this...

transforms.conf

[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = %ASA-\d-\d{6}
FORMAT = sourcetype::cisco:asa

[removeDNS]
REGEX = %ASA-\d-\d{6}.*[/(]53[)\s]
DEST_KEY = queue
FORMAT = nullQueue

props.conf

[syslog]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
TRANSFORMS-asa_toss_dns = removeDNS

[cisco:asa]
KV_MODE = auto

Explorer

I know it has been a while since this answer was posted. The issue was as I suspected and as you guys answered. But I wanted to let you guys know that it worked like charm. Thanks very much for your help regarding this issue.

0 Karma

Splunk Employee
Splunk Employee

@TheFrunkster - Glad to hear that the help provided by beatus and bwooden helped resolve this issue. Please don't forget to resolve this post by clicking "Accept" and upvoting anything that was helpful to you.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!