Archive

CISCO_ESA

Engager

Hi,

Hi, I have installed the Splunk_CiscoSecuritySuite and the Splunk_CiscoIronportEmailSecurity.

The problem is that I'm not getting any data with the sourcetype=cisco_esa, I have the following in the inputs.conf:

[udp://514] #regular syslog

disabled = false

sourcetype = syslog

connection_host = dns

[udp://192.168.1.200:514] #ironport syslog

disabled = false

host = 192.168.1.200

sourcetype = cisco_esa

connection_host = dns

However, data from host 192.168.1.200 is being indexed with the [udp://514] index and not the [udp://192.168.1.200:514].

What do I have to change to have it recorded with the sourcetype=cisco_esa?

Thanks a lot,
-- Xavier

0 Karma
1 Solution

Splunk Employee
Splunk Employee

See below from inputs.conf, the first stanza is going to pick it up since the remote server is empty and only one stanza per port number is currently supported. You could override the sourcetype on a per event basis using regex. See this link - http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides

You could also change the port number.

[udp://:]
* Similar to TCP, except that it listens on a UDP port.
* Only one stanza per port number is currently supported.
* Configure Splunk to listen on a specific port.
* If is specified, the specified port will only accept data from that server.
* If is empty - [udp://] - the port will accept data sent from any server.
* Will generate events with source set to udp:portnumber, for example: udp:514
* If sourcetype is unspecified, will generate events with set sourcetype to udp:portnumber

View solution in original post

Splunk Employee
Splunk Employee

See below from inputs.conf, the first stanza is going to pick it up since the remote server is empty and only one stanza per port number is currently supported. You could override the sourcetype on a per event basis using regex. See this link - http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides

You could also change the port number.

[udp://:]
* Similar to TCP, except that it listens on a UDP port.
* Only one stanza per port number is currently supported.
* Configure Splunk to listen on a specific port.
* If is specified, the specified port will only accept data from that server.
* If is empty - [udp://] - the port will accept data sent from any server.
* Will generate events with source set to udp:portnumber, for example: udp:514
* If sourcetype is unspecified, will generate events with set sourcetype to udp:portnumber

View solution in original post

Engager

Hi,

It works like a charm ! I didn't know that only one stanza per port number was currently supported, I expected it to take the most specific.

I've followed the examples and I've done it like this:

transforms.conf:

[cisco_esa_parser]
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?).\w+\s+)[?(MachineName)[\w.-]]?\s
FORMAT = sourcetype::cisco_esa
DEST_KEY = MetaData:Sourcetype

props.conf:

[source::udp:514]
TRANSFORMS-changesourcetype = cisco_esa_parser

Thanks for your help,

-- Xavier

0 Karma