Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Best practice for using syslog (Cisco ASA en others) from forwarder (Kiwi Deamon)

Starlette
Contributor
‎03-28-2010 02:59 PM

Hai There,

I am dealing with a forwarder to indexer which is reading a kiwi directory with several types of devices. Mainly Cisco router/swithes ASA's and Cisco FW modules, also some other stuff. Events are flowing in with sourcetype as the orig filename.

I extacted the hosts with hostoverides, and overided some sourcetypes ( asa, pix etc)

Question is :

What is Field extracted for syslog and Cisco_syslog, I am now using overiding in index time but looks like I am re-ineventing the wheel for syslog (cisco)syslog) Are those default extractions somewhere in the install?

Cheers Dutchy

Tags (1)
Reply

Starlette
Contributor
‎03-29-2010 04:27 PM

Hai BunnyHop,

Thanks,

For somme reason I overlooked this DIR, now it make sense that there are no extractions for Cisco ( exept in the security ap) Cisco_syslog is using :

[syslog-extractions] REGEX = \s([^\s[]+)(?:[(\d+)])?:\s FORMAT = process::$1 pid::$2

Thats it,,,I am already using the security app for asa and FWSM, but have to reinent the wheel for router/switch logs can you share what you have sofar btw? thanks, Dutchy

0 Karma
Reply

BunnyHop
Contributor
‎03-29-2010 02:57 PM

You will find the extractions that the Cisco_Syslog sourcetype is using on the default folder:

%SPLUNK%\etc\system\default\

files are props.conf and transforms.conf

These are basis extractions. There are Cisco apps that does additional extractions, but it will probably be compatible with the newer devices, rather than the older ones. So if you have PIX, that app won't help you.

http://www.splunkbase.com/apps/All/4.x/App/app:Splunk+for+Cisco+Security

I have created my own inline extractions using regex. If you want to do the same, you would create them on the local folder. The settings in this folder takes precedence over the default.

%SPLUNK%\etc\system\local\

Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...