Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Are there performance implications of using props....
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm new to Splunk and have installed the Enterprise trial on Windows and pointed two Cisco ASA firewalls at it. Logs are coming through fine and I've used props.conf and transforms.conf to tag them with an appropriate Index and SourceType.
props.conf
[host::192.168.5.2]
TRANSFORMS-firewall_cisco = set_index_firewall_cisco_asa, set_sourcetype_firewall_cisco_asa
[host::192.168.6.2]
TRANSFORMS-firewall_cisco = set_index_firewall_cisco_asa, set_sourcetype_firewall_cisco_asa
transforms.conf
[set_index_firewall_cisco_asa]
DEST_KEY = _MetaData:Index
FORMAT = firewall_cisco
REGEX = .
[set_sourcetype_firewall_cisco_asa]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::cisco:asa
REGEX = .
My question is about the scaleability of my configuration. It seems a little clunky to have to edit the config in the way that I have for each and every device I want Splunk to retrieve the logs of over the deafult TCP Syslog port. (I'm assuming I will want a different Index and SourceType for each device type).
Is there a performace hit with the config I have used (if so, is it big enough to worry about)?
Can anyone suggest a better way of achieving what I want?
Thanks : )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
An easier method, as opposed to doing this for each host is to use in your regex %ASA which is included in every cisco asa event. Then in your props.conf you can just use :
[source::udp:514] (assuming you are receiving the data straight from syslog
TRANSFORMS-firewall_cisco = set_index_firewall_cisco_asa, set_sourcetype_firewall_cisco_asa
Then you won't have to configure it for each and every firewall, it will only apply to syslog data that contains the string %ASA in it. Also, will be more efficient, since your regex is more specific than "."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
An easier method, as opposed to doing this for each host is to use in your regex %ASA which is included in every cisco asa event. Then in your props.conf you can just use :
[source::udp:514] (assuming you are receiving the data straight from syslog
TRANSFORMS-firewall_cisco = set_index_firewall_cisco_asa, set_sourcetype_firewall_cisco_asa
Then you won't have to configure it for each and every firewall, it will only apply to syslog data that contains the string %ASA in it. Also, will be more efficient, since your regex is more specific than "."
Splunk Mobile: Your Brand-New Home Screen
Introducing Value Insights (Beta): Understand the Business Impact your organization ...
Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...
