Hi,
Hi, I have installed the Splunk_CiscoSecuritySuite and the Splunk_CiscoIronportEmailSecurity.
The problem is that I'm not getting any data with the sourcetype=cisco_esa, I have the following in the inputs.conf:
[udp://514] #regular syslog
disabled = false
sourcetype = syslog
connection_host = dns
[udp://192.168.1.200:514] #ironport syslog
disabled = false
host = 192.168.1.200
sourcetype = cisco_esa
connection_host = dns
However, data from host 192.168.1.200 is being indexed with the [udp://514] index and not the [udp://192.168.1.200:514].
What do I have to change to have it recorded with the sourcetype=cisco_esa?
Thanks a lot,
-- Xavier
See below from inputs.conf, the first stanza is going to pick it up since the remote server is empty and only one stanza per port number is currently supported. You could override the sourcetype on a per event basis using regex. See this link - http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides
You could also change the port number.
[udp://
* Similar to TCP, except that it listens on a UDP port.
* Only one stanza per port number is currently supported.
* Configure Splunk to listen on a specific port.
* If
* If
* Will generate events with source set to udp:portnumber, for example: udp:514
* If sourcetype is unspecified, will generate events with set sourcetype to udp:portnumber
See below from inputs.conf, the first stanza is going to pick it up since the remote server is empty and only one stanza per port number is currently supported. You could override the sourcetype on a per event basis using regex. See this link - http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides
You could also change the port number.
[udp://
* Similar to TCP, except that it listens on a UDP port.
* Only one stanza per port number is currently supported.
* Configure Splunk to listen on a specific port.
* If
* If
* Will generate events with source set to udp:portnumber, for example: udp:514
* If sourcetype is unspecified, will generate events with set sourcetype to udp:portnumber
Hi,
It works like a charm ! I didn't know that only one stanza per port number was currently supported, I expected it to take the most specific.
I've followed the examples and I've done it like this:
transforms.conf:
[cisco_esa_parser]
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?).\w+\s+)[?(MachineName)[\w.-]]?\s
FORMAT = sourcetype::cisco_esa
DEST_KEY = MetaData:Sourcetype
props.conf:
[source::udp:514]
TRANSFORMS-changesourcetype = cisco_esa_parser
Thanks for your help,
-- Xavier