I'm bringing in Cisco Router logs via syslog and using the TA-Cisco_ios addon. I have some flaky log entries that I've massaged as much as I can when bringing it in, and now have to set the host from the log data. My logs look like:
Apr 24 14:07:28 172.30.9.224 obfuscated-wan-0-gw: *Apr 24 13:48:30.191 EDT: **Entry found in cache**
Apr 24 14:07:18 172.30.9.224 obfuscated-wan-0-gw: *Apr 24 13:48:20.095 EDT: CDP-PA: version 2 packet sent out on Multilink1
Apr 24 14:06:41 172.30.9.224 obfuscated-wan-0-gw: *Apr 24 13:47:44.175 EDT: BGP: topo global:VPNv4 Multicast:base Scanning routing tables
Apr 24 14:06:22 172.30.9.224 obfuscated-wan-0-gw: *Apr 24 13:47:24.963 EDT: CDP-PA: version 2 packet sent out on Multilink1
My props.conf looks like:
#Define hostname
[sourcetype::cisco:ios]
Transforms-obfuscated-0-gw=define_host
and Transforms looks like
[define_host]
REGEX = ^(?:[^ \n]* ){4}([^:]+)
FORMAT = host::$1
DEST_KEY = MetaData:Host
Can someone tell me where to go from here? That regex pulls the hostname according to regex101.
I believe you need to change sourcetype::cisco:ios to cisco:ios in your props.conf
I believe you need to change sourcetype::cisco:ios to cisco:ios in your props.conf
That did it for the most part, thanks! It's bringing in a couple more values for the host field, but that's probably due to my regex.